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Version 10.5 Preface 


Typographic Conventions 


This document uses these typographic conventions. 


e The names of windows, views, tabs, dialog boxes, panes, panels, buttons, fields, options, 
checkboxes, and the like are in Initial Caps, or otherwise capitalized according to their labels. 

e Keystrokes are shown in all capital letters, such as TAB, CTRL, OPT, CMD, SPACEBAR. 
Keys pressed at the same time are joined with +, such as CTRL+S, OPT+T. 

e The names of elements that you are directed to interact with by clicking, selecting, or typing 
are shown in bold. 

e Immediately contiguous menu actions such as clicking a toolbar button or menu, then 
immediately clicking another item in a resulting submenu, are separated with the > symbol, 
such as 


Edit > Copy 
Preferences > Data Collection 


e File names, folder names, file paths, disk names, drive names, volume names, partition names, 
and the like are shown in italic. File extensions such as .pdf, .docx., .jpg, and so forth are not 
shown in italic. 

e Variables are enclosed with <angle brackets>, such as <PLATFORM> VOLUMES, where 
<PLATFORMs is either MACOS or WINDOWS. 

e Anything you are directed to type exactly, such as file names, commands, 
or code, are shown in a console font. 


If you find any typos, inaccuracies, or other problems in this documentation, please send an 
email to support(dcellebrite.com. Please include the title of the document, the version of the 
document, and the title of the topic in your message. 
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Document Revision History 
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Endpoint Inspector 


Created or updated to add information about the e Menu Bar 


Classification feature. e Classification Menu 
e File Filters 


e Classification chapter 
e Select Data for a Portable Case 
e Classifications in Portable Cases 


Added information about the Follow URL Links The Search Options section of the 

checkbox. Inspector Preferences or Options 
topic 

Updated to discuss managing Inspector licenses. Help Menu 


Updated to add information about exporting a password | The Export Menu section of the 
key list. Action Menu topic 


Created or updated to discuss imaging attached drives. | ° Action Menu 
e Adding Evidence to a Case 


e Image and Ingest an Attached 


Drive 
Updated to reflect change from Elastic search to e Inspector Preferences or 
SQLite for Smart Index queries. Options 


e = Index Searching 


Updated to discuss ingestion of .ufd files from UFED or | Adding Evidence to a Case 
Physical Analyzer. 


Updated to discuss ingesting backups directly from 7 Device Backups 
within image files. Removed information about e Adding an iOS Disk Image or 


exporting backups from ingested data and importing it Backup 
e Adding Evidence to a Case 


e Adding a Disk Image 


separately for ingestion. 


Created to discuss filtering on internet domain Filtering on Internet Domain 
category. Categories 
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Document Revision History 


Added information about filtering. 


highlighting. 


Created or updated to add information about Hex 


Activity Correlation 


e = Insights 


e Passwords 
e Program Execution 


Added information about the Windows Index view in 
System view. 


folders as well as censoring pictures and video. 


Created or updated to add information about tag 


Windows Index 


e The entire Tags chapter. 
e Inthe Reporting chapter: 
o Generating and Exporting the 
Examiner Report 
o Ordering Tags and Tagged 
Items in Reports (formerly 
titled Tags and Tagged 
Items] 
e Select Data for a Portable Case 
topic 


Added information about using Adobe Acrobat Reader 
DC on Mac computers. 


Generating and Exporting the 


Examiner Report 
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What's New in Version 10.5 


This chapter provides information about this release of Cellebrite Inspector. 


e Endpoint Inspector 
o Collect Data from Android Devices 
o User Experience Enhancements 
e Windows Registry View 
e Link to Web Page Announcing New or Changed Features 
e Classified Content and Reporting 
e Support for Windows Artifacts 
e Support for Apple Artifacts 
e Enhancements and Performance Improvements 
o Snapshots and Volume Shadow Copies 
Internet Log Parser 
Saving and Exporting a File List 
Optical Character Recognition 
Column Added to Internet Sub-Views 
Compression for Exported L01 Files 
Send Statistics to Cellebrite 
e For Windows Computers 
o Media Processing Enhancement 
e Improved Portable Case Reader 


O O OG e 0 O 


Changes were made to several areas of Inspector to improve overall performance for both Mac 
and Windows computers. 


Endpoint Inspector 


These changes were made to add functionality and improve the experience for Endpoint 
Inspector users. 


Collect Data from Android Devices 


This data can now be ingested and parsed from remote Android collections. 


e Calls 

e SMS and MMS messages 
e Contacts 

e Calendar 


User Experience Enhancements 


In the Remote Browser and Remote File Filter views, sorting by column is improved, particularly 
for the Size column. 


In the Remote Thumbnails view, information in the Metadata panel is easier to read when a 
thumbnail is selected. 
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Windows Registry View 


Many customers have requested better visibility and navigation in the Registry sub-view of the 
System view. In response, we have made several enhancements. 


The name of the All tab has been changed to Hives. 


On the Hives tab, you can use the new Filter field to search the entire registry at once. By default, 
you can search in Key Names. You may choose to search Value Names or Value Data In addition 
to or instead of Key Names. Matching items are shown in Hierarchical mode, but you can toggle 
to Flat List if you prefer. The first time you filter a registry may take some time but subsequent 
searches are almost instantaneous. 


In the file content view for the Hives and Significant tabs, the Hex tab now appears by default. 
The view is now also persistent when you switch between the Hives and Significant tabs. 


EE Registry D. Spotlight Q, Windows Index Æ dictionary X Applications { System Logs 


Hives Significant ShellBags 


Key Names Value Names Value Data Hierarchical Flat List 
<> 


Key Name Value Count Last Write Time Classifications Name Ty 


BLMDS3 


HKLM 


SOFTWARE 


1601-01-01 00:00:00 (UTC) 
2009-12-04 04:51:27 (UTC) 
‘Apple Computer, Inc. 2009-11-08 22:43:05 (UTC) 
iTunes 


Classes 


OpenWithList 
Key Path: 


2009-11-08 22:43:05 (UTC) 
2009-12-10 21:46:35 (UTC) 
2009-11-08 22:43:04 (UTC) 


om ok omo 


2009-11-08 22:43:04 (UTC) 


Gi Hen Strings (Preview Metadata Location ` A Record Data Interpre 
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When you double-click registry data, the new Path Bar shows this selection as navigation history, 
similar to the Path Bar in the Browser view. To navigate within the Path Bar, click on a segment 
or the arrows. Unlike in the Browser view, the navigation segment to the right remains visible, 
allowing you more easily navigate through the registry data. 


BP ey E Ss wo Gë © ER o 
Report Share Browser File Filter Actionable Intel Communication Media Locations Internet Productivity System Plugins 
Ada | HY Registry Q, Spotlight Q, Windows Index @ Dictionary % Applications {@ system Logs 
Hives Significant ShellBags Addi: 
Key Names Value Names Value Data 
> BLMDS3 HKLM SOFTWARE end 2109230016EA6405 _ 2092 
Key Name Value Count Last Write Time Classifications Name Type Data "` 
2092 
Ade | Cu H 2009-09-11 15:07:25 (UTC) 
4 


Add | Key Path: HKLM\SOFTWARE\le3d\2109230016EA6405\2092\1 


Eivex Strings [Preview Metadata ` $ Location ` A. Record Data Interpr 


22224063:| 00 00 00 0A 0A 04 0A 00 0A 31 65 33 64 0A OO OO OO AQ FF FF FF GE 6B 20 @@ 22 11 68 92 i... . sss Leid 

22224092: F1 32 CA 01 00 @@ 0O 00 78 OC 53 O1 01 00 0A 0A 0O OO OO OO AB OA 53 O1 FF FF FF FF 00 LEIT BCEE 

22224121: 0 @@ 00 FF FF FF FF @8 41 DA 0O FF FF FF FF @8 op op op 00 oo op 00 00 op op 00 0A 00 ECHTEN 
22224150: 00 00 00 0A 0O 20 10 O OO 0 32 31 30 39 32 33 30 30 31 36 45 41 36 34 30 35 A8 FF FF D .2109230016EAG405 "yy 
22224179: FF 6E 6B 20 @@ 22 11 68 92 F1 32 CA @1 op op oo op DO AC 53 01 oi 0A 0A op op 0A 20 op Lee Ee 
22224208: 48 ØB 53 01 FF FF FF FF 00 0O 0O 00 FF FF FF FF 08 41 DA @@ FF FF FF FF @2 00 00 00 00 y 

22224237: 00 00 00 00 00 00 00 00 0A 0A 0A 0 0 20 OO 04 a0 A BA 32 30 39 32 00 00 00 0O/AB FF| 

22224266: [FF FF GE 6B 20 00 22 11 68 92 F132 CA 1 00 00 00 0 30 0D 53 01 00 00 00 00 00 00 00 

22224295: | 00 FF FF FF FF FF FF FF FF 00 00 00 00 FF FF FF FF O8 41 DA 00 FF FF FF FF 00 00 00 00, 

22224324: | 00 00 00 00 20 00 0 00 20 00 00 00 0O 0O 00 00 O1 0O 0A 00 31/00 00 00 00 00 00 00 AB 

22224353: FF FF FF GE 6B 20 @@ 86 7F 80 8B F4 32 CA 01 00 0O 0O 0A 78 0A 53 01 00 0A op op 00 op 

Decimal AN Sector Offset: 0x188 (392) Position: 0x1 ect 


If the datetime for a recorded registry value is zero or cannot be determined, it now remains 
blank rather than showing the Epoch datetime. This applies to these datetime values. 


e =lastLoginDate 
e lastPWChangeDate 
e = lastFailedLoginDate 


Lastly, more registry artifacts can be parsed from additional Windows 10 locations. 


Link to Web Page Announcing New or Changed Features 


When you open Inspector after you update it or install it, a web page appears that provides 
information about new and changed features. If your computer does not have an internet 
connection, a QR code appears instead. You can scan this QR code with your mobile phone or 
use it on a different computer to see this web page. 
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Classified Content and Reporting 


In the Report view, you can now choose whether to include or exclude items based on their 
classification. If an item is both tagged and classified, the classification is honored rather than 
the tag. In other words, if an item is included by means of the tag but that item has a 
classification set to be excluded in the report, that item will be excluded. 


20 4 Orep er chee to cnange Š 


LMDS3.dmg ree 
Le Digital intelligence | 
BLMDS3 
še Cellebrite Come? F 
Digital Forensics Report SS] 
Root File Create Date 2020-10 


Root File Modify Date 2020-10 
‘t/ Imaging Status Ed 
Report Date: 2) 4/2022 Root File Accessed Date 2020-10 


vw @ Genggate Report File Count 51354 


Folder Count | 4236 


mark FAA 


Report Elements Export | 
Priviledged © BR cover Page Sector Size | 512 
res Tagged © @ Case into f T 

© | Contents 
SEARCHES + Add E aimps3.dmg 
© a O BLMDSZ — 
RCHES + Add BH & Evidence Tags Block Sector Count 8 
Bookmark FAA T 
© Calis 
mvenotes EEY G Calis Priviledgea 
@ Pictures Tagged 
E] Case Data ee 
© Apps 
© Audio 
Calendar 
@ Calis 
@ Contacts 
© Device Backups 
© Device Connections 


Sector Count 173486( 


Space Used 7.2 GB | 


Last File ID 58190 


sacs 


KH 


@ Favorite Contacts 
© include Report Data by Classification 

Exclude Report Data by Classification 
Privileged 


Sensitive 


Relevant 
Classification #4 
Classification #5 
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Support for Windows Artifacts 


More artifacts are ingested and parsed from Windows computers, including Windows 11. This 
includes Windows application and usage information. You may see these artifacts in the Insights 
sub-view of the Actionable Intel view. 


e = SRUM artifacts from Windows 11. 

e In File Knowledge > Recent Items, you can now see the contents of com.microsoft. office. plist, 
which provides details about MS Word, Excel, and PowerPoint files that have been opened or 
accessed. 

e |n Program Execution > Feature Usage, you can now See information about how often 
applications and features were used. While this information is not definitive proof of behavior, 
it can validate other forensic data. Even if a user removes an application from their 
computer, this information remains. 


d 
63 BAM DAM (50) 
63 CAM (436) 


These columns describe feature usage. 


Column Description 


App Badge Shows the number of times the application or feature provided notifications. 
Updated 


App Switch Shows the number of times the application or feature was left-clicked or 
brought to the front from the Task Bar. 


Show Jump | Shows the number of times the application or feature was right-clicked or 
View brought to the front from the Task Bar. 


App Launch | Shows the number of times an application or feature pinned to the Task Bar 
was launched. 


Tray Button | Shows the number of times any button on the Task Bar was clicked. This may 
Clicked include Start, the Clock, Task View, Pen, and anything else the user may have 
pinned to the Task Bar. 
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e Inspector can now ingest and show information from the Windows Capability Access 
Manager service. On the Insights view, click Program Execution > CAM. 


E 


Eno Strings Preview ` $ Metadata Q location Record Data interpreter Data Fork 


You can see information about applications’ access to up to 30 separate resources, such 
as the computer's Bluetooth, camera, location service, microphone, and more. These 
columns show information about when activity happened for each resource: Last Written, 
Last Used Time Start, and Last Used Time Stop. If a resource reports a last stopped time 
but there is no last started time, this indicates that an attempt was made to access the 
resource but that access was denied, perhaps due to an issue with the user's privileges. 


You can also determine whether an application is conventional or from the Microsoft 
Store. Applications from the Microsoft Store show “1” in the App Type column and the 
Package Name column is populated. Conventional applications show “0” in the App Type 
column and the Exe Path column is populated. 


Support for Apple Artifacts 


In the Actionable Intel view, you may see more artifacts ingested and parsed from iOS devices 
and Mac computers, including macOS 12. 


To see SIM card history artifacts parsed from iOS devices, click Insights > SIM Card History. 


To see artifacts related to Apple screen, click Insights > Apple Screen Time. If Apple Screen Time 
had been enabled, this can help you detect patterns of usage. You can see mostly the same 
artifacts presented in these different ways: 


e By Category 


e By Hour 
e Counted 
e Timed 
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To see Apple Wallet artifacts parsed from some versions of macOS computers and iOS devices, 
click Insights > Apple Wallet. This can help you detect financial patterns. You can see these 
artifacts: 


e Apple Card 

e Apple Cash Account 

e Apple Pass 

e Apple Transaction 

e Apple Wallet Messages 


In addition to Apple Map trips information, Inspector can now Ingest maps from macOS and iOS. 


To see these artifacts parsed from macOS computers and iOS devices, click Insights > 
Connections > Network Interfaces. 


e Network Interfaces 
e |P Addresses: Static IP 
e DHCP: IPAddress Key 


Enhancements and Performance Improvements 


Performance improvements and enhancements to the user interface were made in these areas. 


Snapshots and Volume Shadow Copies 


Filter queries of both Snapshots and Volume Shadow Copies (VSC) perform much faster than 
previously. Greater speed improvements are most apparent on less powerful computers. 


There is now a filter to reveal files in a Snapshot or VSC that are not in the active volume. This 
makes it easier to see files that a user may have deleted or altered in an attempt to hide 
evidence. This new filter can be applied in conjunction with other filters, for example to focus on 
certain kinds of files like pictures or MS Office documents. 


Internet Log Parser 


Internet logs can be parsed from Edge, Opera, and Brave browser data obtained from Mac and 
Windows computers as well as from iOS and Android devices. The location or file is identified for 
any of these artifacts found. 


e Bookmarks (Shortcuts appear on the Bookmarks tab) 


e Cookies 
e Form Data 
e History 


e Last Session 
e Recent Search 
e Top Sites 
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Saving and Exporting a File List 


Saving and exporting a file list has been improved. When you click Action > Save File Listing, you 
provide the name of the file list, specify appropriate tags, choose the destination for the file list, 
and then click Save. The new Select Columns for Export File Listing dialog box appears. 


Select Columns for Export File Listing 


Regular File Data Spotlight Data (Apple) Index Data (Windows) 

BBTID _kmditembundleid system_dateaccessed 
FileSystemID _kmditemcreationdate system_datecreated 

Parent FileSystemID _kmditemexternalid system_dateimported 

Name _kmditemfilename system_datemodified 

Path _kmditemstoragesize system_document_datecreated 
Size byte_offset system_document_datesaved 
Extension cache_file system_fileattributes 
Content Extension date_updated system_filename 

Date Created flags system_itemtypetext 

Date Changed item_id system_itemurl 

Date Modified kmditemaccounthandles work_id 

Date Accessed kmditemaccountidentifier 

Date Added kmditemaccounttype 

File System Offset kmditemcontentcreationdate 

fsType kmditemcontentmodificationdate 

Directory kmditemcontenttype 

Visible kmditemcontenturl 

Locked kmditemdateadded 

Owner ID kmditemdescription 

Group ID kmditemdisplayname 

Permissions kmditemkind 

Entropy kmditemlastuseddate 

ForkCount kmditemusecount 

oid 

File Hashes parent_oid 

MDS 
© Use UTC Time Cancel o 


In the Regular File Data list, you can select the metadata columns to include for each file. You can 
use the standard keystrokes for your computer's operating system to select or deselect all or 
some Items in the list. If any hash process had been run, you can also choose to include any 
available hash types. If the processes for Apple Spotlight Data or Windows Index Data had been 
run, you can choose to include any of that data as well. 


You can specify whether the time format will appear as UTC or as the local time zone. This may 
be helpful when the exported data will be used in different tools. 


The selections you make on the Select Columns for Export File Listing dialog box remain the 
same unless you change them the next time you export a file list. 


When you click OK, the file listing is saved in a tab delimited .txt file. You can open this file in MS 
Excel. 


Optical Character Recognition 


Optical character recognition [OCR] can identify and extract more text than before with improved 
accuracy. OCR is included in Index search. 
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Column Added to Internet Sub-Views 


The Internet Category column has been added to these Internet sub-views. 


e Bookmarks e History 
e Cache e Last Session 
e Cookies e Top Sites 


e Downloads 


The Form Data and Recent Search views do not support the Internet Category column. 


Compression for Exported L01 Files 


You can now choose to enable compression when L01 files are exported. The degree of 
compression and the amount of time it takes depends on the content of each L01 file. 


1. To enable this compression, choose the appropriate option. 
e Ona Mac computer, click Inspector > Preferences. 
e OnaWindows computer, click Edit > Options. 


2. Click the Export tab. 
3. Under Exporting Files, mark the checkbox for Enable L01 Compression. 


Send Statistics to Cellebrite 


It is now possible for you to send statistics to Cellebrite about how you use Inspector. These 
Statistics are about actions and interactions related to your use of Inspector and about quantities 
and types of images and evidence. This lets us understand broad patterns for how customers 
use Inspector so that we can identify opportunities to improve it. 


No specific case data or personal information is sent to Cellebrite and you can choose not to 
participate, and you change this setting later. 


1. To see or change this setting, choose the appropriate option. 


e Ona Mac computer, click Inspector > Preferences. 
e OnaWindows computer, click Edit > Options. 
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2. Click Options. 


General Options Report Export Dialogs Templates Project VIC 
iOS Devices 


Recover Deleted SQLite Records 


Processing Options 
Max Number of Processors to Utilize: 7 8 
Remember Ingestion Options 


Microsoft Symbols Settings... 


Search Options 


Deduplicate Hits Across Volume Shadow Copies 


Embedded HTML Links 


Follow URL Links 


Share Diagnostic Data with Cellebrite 


Allow Learn more about what data we collect? 


3. Under Share Diagnostic Data with Cellebrite, mark or unmark the checkbox for Allow. 


For Windows Computers 


This change was made to Inspector running on Windows computers. 


Media Processing Enhancement 


If Inspector encounters difficulty during media processing, it automatically changes from 
parallel processing to single file processing. This allows Inspector to find the specific file that 
caused the difficulty; such files are often corrupt. 


During single file processing, Inspector runs more slowly and may seem to be stalled. After 
Inspector finds the specific file that caused the difficulty, media processing automatically 
resumes parallel processing. 


Improved Portable Case Reader 


The Portable Case Reader now has more views in common with Inspector. All of the System 
views are now available in Portable Cases: 


e Registry and these sub-views: Hives, e Applications 

Significant, ShellBags e System Logs 
e Spotlight e Memory and these sub-views: Processes, 
e Windows Index Libraries, Sockets, Handles, Drivers 


e Dictionary 
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Introduction 


Cellebrite Inspector is a comprehensive software solution to help investigators conduct digital 
forensic investigations on Mac computers, iOS devices (iPhone, iPad, iPod touch], Android 
devices, and Windows computers. Inspector is designed for both novice and advanced users and 
offers a clean interface featuring easy navigation as well as powerful advanced options. The 
interface provides forensic examiners both robust capabilities and an intuitive and elegant user 
experience throughout all phases of a digital forensic investigation. 


With Inspector, you can accomplish these tasks. 


e Manage cases. 

e Collect files from remote computers [only for customers using Endpoint Inspector, offered by 
Cellebrite Enterprise Services.] 

e Ingest, manage, and verify evidence. 

e Browse, search and filter evidence. 

e Analyze evidence with views focused on timelines, media, communications, locations, 
internet activity, productivity tools, system activities, and actionable intelligence. 

e Tag evidence, create reports, and share evidence in portable case files. 


This chapter provides these topics about Cellebrite Inspector: 


e Intended Audience 

e Hardware and Software Requirements 
e Installing Cellebrite Inspector 

e Registration 

e Analyzing Digital Evidence 

e Reporting 


e Sharing Cases 
e Backing Up Case Evidence 


e Collecting Files from Remote Computers 
e Getting Support 
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Intended Audience 


Forensic software tools offered by Cellebrite are intended for use by law enforcement officials, 
private investigators, corporate security specialists, and other parties who investigate Mac- 
based and Windows-based computers devices for evidentiary data. 


Users of Cellebrite software should possess these core competencies. 


e Basic knowledge of and experience using Apple and Windows computers and their peripheral 
devices 

e Familiarity with macOS and Windows operating system environments 

e Knowledge and training in basic computer forensics policies and procedures 

e An understanding of forensic images and how to correctly acquire them 

e A fundamental understanding of how to preserve, acquire, authenticate, and analyze digital 
evidence, and how to report digital forensic investigation findings 


Digital Forensics Overview 


Forensics is preserving, acquiring, authenticating, analyzing, reporting, and managing digital 
evidence. Digital evidence includes data found on computer hard drives, external hard drives, 
CDs and DVDs, portable media such as USB thumb drives, Android devices, and iPod, iPhone, 
and iPad (iOS) devices. 


A digital forensic examination includes these basic steps. 


Preserve: Identify, secure, transport, and store the digital evidence (chain of custody). 
Acquire: Create a forensically sound image of the evidence. 

Authenticate: Confirm the forensic image is identical to the original (forensically sound). 
Analyze: Create a case and analyze the evidence using an appropriate software solution. 
Report: Thoroughly document the data investigation process and results of the analysis. 
Manage: Back up, archive, detach/attach, and restore cases and evidence as needed. 
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Preserving and Acquiring Digital Forensic Evidence 


Digital evidence must be preserved in its original form to the greatest extent possible for it to be 
admissible during a legal proceeding. A forensic examiner must carefully preserve, acquire, and 
authenticate electronic data during their examination. Therefore, it is of the utmost importance 
to acquire electronic evidence in a way that ensures no changes are made to the original data 
during the acquisition process. 


A forensically sound image is a bit-by-bit image that is identical in every way to the original, 
including allocated, unallocated, and free space. 
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Preserving Evidence Using a Write-Blocker 


Some operating systems attempt to write to the hard drive or device containing original evidence 
during the acquisition process. A write-blocker stands between the forensic examiner's 
computer or hardware acquisition tool and the devices containing the original evidence. Write- 
blockers prevent evidence contamination during the acquisition process. 


These are the types of write-blockers. 


Hardware-Based Write-Blockers: A hardware-based write-blocker is a hardware device that is 
placed with cables and port connections between the forensic examiner's computer and the 
device containing the original digital evidence. Hardware-based write-blockers allow one-way, 
read-only data transfer between the device containing the evidence and the forensic examiner's 
computer. If the forensic examiner's operating system tries to write to the device containing the 
original data, the write-blocker blocks the unwanted data transfer. 


Software-Based Write-Blockers: Software-based write-blockers serve the same purpose as 
hardware-based write-blockers. Software-based write-blockers reside on either the forensic 
examiner's computer, or on a hardware acquisition tool. SoftBlock™, offered by Cellebrite, is an 
example of a software-based write-blocker that runs on the forensic examiner's computer. 
Digital Collector, offered by Cellebrite, is an example of a hardware acquisition tool that has a 
software-based write-blocker built in. 


A software-based write-blocker may be advantageous to a forensic examiner, as it may eliminate 
the need to purchase and carry expensive and cumbersome external hardware-based write- 
blockers. 


Using SoftBlock During a Live Acquisition 


A forensic examiner may need to acquire data from a machine while the machine Is running, or 
live. Data collected during a live acquisition may be saved to a forensic image as needed. Live 
data may be acquired from hard drives or another electronic data source. 


During a live acquisition, the device containing the original evidence must remain connected to 
the forensic examiner's machine throughout the investigation. A write-blocker must be in place 
throughout the investigation as well. SoftBlock is an excellent software-based write-blocking 
solution for live data acquisitions. 
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Acquiring Digital Evidence 


A forensic image is a physical representation of the acquired device, even though it is saved as a 
file. Forensic images are static, meaning they remain the same even after you add them toa 
case. Forensic images may be backed up and stored for later use If necessary. 


A forensic examiner uses these types of tools to acquire digital evidence. 


Hardware Acquisition Tools: Hardware acquisition tools are physical devices used to collect 
digital evidence. They do not necessarily have a central processing unit (CPU), are self- 
contained, and may be hand-held. Digital Collector is an example of a hardware acquisition tool. 
Digital Collector can acquire a forensically sound image or collect data directly from a live 
source Mac or Windows computer [including RAM for macOS). 


Software Acquisition Tools: Software acquisition tools reside on a forensic examiner's 
computer. Software acquisition tools often allow a forensic examiner to choose the forensic 
image file format, compression level, and the size of the data segments at the time the 
acquisition is performed. Inspector, offered by Cellebrite, has a software acquisition tool built in 
for acquiring IOS and Android devices. 


Authentication and Hashing 


After you acquire a forensic image, you must authenticate it to confirm the image is an exact 
copy of the original. This is accomplished by hashing both the source and the acquired image. 
Hashing is the process, done by forensic software, of applying an algorithm (mathematical 
formula] to generate a value that uniquely identifies data. This value is usually expressed as a 
sequence of hexadecimal digits. If the hash value of the acquired forensic image matches the 
hash value of the original data, the forensic image and original data can be considered identical. 


Digital Collector and Inspector use these algorithms to generate hash values. 


e Message Digest 5 (MD5) 
e Secure Hash Algorithm 1 (SHA-1] 
e Secure Hash Algorithm 2, 256-bit length (SHA-256] 


Note: You may also hash individual files with Inspector. 
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Hardware and Software Requirements 


The macOS installer for Inspector is delivered as a package file [.pkg) while the Windows 


installer is delivered as a setup executable. 


In addition to the Inspector installers, installers for Operating System hash sets and memory 
symbols will need to be installed in order for Inspector to take advantage of those. 


Recommended Hardware Requirements 


Platform 


Processor Requirements 


RAM Requirements 
Screen Resolution 


Free Disk Space 


Minimum Hardware Requirements 


Platform 


Processor Requirements 
RAM Requirements 
Screen Resolution 


Free Disk Space 


Minimum Software Requirements 


Operating System Specification 


iTunes 


QuickTime (Mac) 


Windows Media Player (Windows) 


Intel 64-bit based systems 


Intel Xeon E5, 6-Core, or better 


32 GB DDR3 or higher 


1680 x 1050 or higher 


5 GB [installation only) 


25 GB [temp space] 


Intel based systems (Mac) 
x64 Architecture [Windows] 


2.7 GHz Intel Core 17 


16 GB DDR3 


1024 x 768 or higher 


5 GB [installation only) 


25 GB [temp space] 


Mac OS X 10.12.6 or newer*t 
Windows® 10 1809 or newer 


Windows® Server 2016 or newer 


12.6 or newer 


7.6.9 or newer 


12 or newer** 


* In testing it was determined that Inspector performs best on OS X version 10.14.6. 


t We recommend strongly against using macOS versions .0 and .1 in all cases. For example, 


10.15.0 or 10.15.1. 
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** For Windows systems, Inspector uses whatever the default app may be for playing media files. 
Windows Media Player 12 is recommended. If you use Windows and do not have QuickTime 
installed and you need to play certain file types such as .AMR files [voicemail and so forth} you 
must Install some non-default codecs, following the instructions found here: 
http://shark007.net/win8codecs.html. 


For information about downloading iTunes and QuickTime, visit 
http://www.apple.com/quicktime/download/. 


Installing Cellebrite Inspector 


This user guide does not include installation instructions. For installation instructions, log in to 
https://www.community.cellebrite.com/s/support and select the Cellebrite Inspector Installation 
Guide in Product Documentation. 


Registration 


Cellebrite Inspector product license registration occurs at the time of payment and before the 
product is downloaded or shipped. Each license is bound to either a USB security device or a 
license key. 


You may view your current registration information, check for product updates and download 
new product releases from within Inspector, or by visiting our website at 
https://community.cellebrite.com/. 


Each new Inspector product license includes a one-year license subscription. During this one- 
year subscription period, you will have full access to Cellebrite technical support, and the right to 
download and install currently licensed product updates and new releases for that product. 


Please be sure to renew your product license subscriptions annually to continue receiving 
subscription benefits. 


Customers in law enforcement may continue to use Cellebrite Inspector if the subscription is not 
renewed; however, subscription benefits are no longer available. 


Customers in the private sector can no longer use Cellebrite Inspector if the subscription is not 
renewed. 
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Analyzing Digital Evidence 


Digital forensic analysis includes identifying meaningful evidence that will be included in the 
forensic examiner's report. This section briefly describes several Cellebrite Inspector features 
that help streamline this process. 


Hashing Individual Files 


As mentioned in the previous section, hashing may also be performed on individual files. When a 
new case is created, or additional evidence is added to an existing case, Inspector gives an 
investigator the option of hashing all files as they are added. These hash values may then be 
used to verify file integrity, identify duplicate files and identify both known and unknown file 
types. 


Known and unknown file type identification is useful during a forensic examination. Known file 
types might be standard system files that a forensic examiner may wish to ignore, or they may be 
files known to contain illicit or dangerous materials. Unknown file types may warrant further 
investigation. 


Known File Hash Set Database 


Inspector can use a Known File Hash (KFH) database when installed. This database allows a 
forensic examiner to quickly identify known file types in a case and determine whether certain 
files represent meaningful or insignificant evidence. 


Searching 


Inspector includes multiple search features. A live or content search is a bit-by-bit comparison 
of a chosen search term against the entire evidence set in a case. This type of search may take 
longer to complete than an index search, but a live (content) search allows the examiner to 
search for non-alphanumeric characters and perform pattern searches [such as regular 
expressions and hexadecimal values}. A smart index search searches an index created by 
Inspector of data residing in allocated space. 


Tagging 

The Inspector tagging feature bookmarks meaningful evidence within a case. Evidence can be 
easily located and referred to once it is tagged. External “supplementary files” may be attached 
to tagged evidence, even if such files are not part of the current case. Tagged evidence can be 
incorporated into a report at any time during the investigation process. 
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Reporting 


Cellebrite Inspector provides uniquely flexible and intuitive reporting features that allow forensic 
examiners to create customized reports and export them to one of several standard file formats. 


Generating Reports 


Inspector includes a report feature that allows convenient report creation and modification. 
Reports created within Inspector are searchable and can be exported to the .docx file format 
(compatible with Microsoft Word, Apple iWork, Pages, and LibreOffice), bm, .pdf, .csv, or Di 
file formats. Custom logo and branding materials may also be incorporated into the examiner 
report. 


For more information, see Reporting. 


Sharing Cases 


Cellebrite Inspector includes a portable case feature that allows examiners to generate a 
portable case file for a case reviewer. An Inspector Portable Case reader, available for macOS 
and Windows, can be distributed with the data exported into the portable case file. This reader 
does not require installation, does not require a software license, and provides an interface for 
the case reviewer to view files, filter data, perform searches, tag information, and generate 
reports. 


For more information, see Portable Cases. 


Backing Up Case Evidence 


Throughout a digital forensic investigation, you should regularly make backups. Do this by 
copying the case to secure media and storing the media in a secure location. 


When planning an investigation and determining the resources needed, ensure sufficient storage 
space is available to keep adequate backups of the case. Each case backup requires the same 
amount of drive space as the case itself. 


Collecting Files from Remote Computers 


Endpoint Inspector allows customers of Cellebrite Enterprise Services to create and analyze 
logical data collections from remote computers without shipping any hardware. 


Examiners install Inspector on their computers, then access Endpoint Inspector from within 
Inspector. 


Examiners choose remote computers from the list assigned to them and save the selected files 
into a collection file with the Logical Evidence File Format (L01). This format is widely supported 
by forensic and eDiscovery tools, and preserves file content, metadata, and folder structure. 
These L01 files are immediately ingested into Inspector as evidence, where examiners can use 
robust analysis and reporting tools. 


For more information, see Endpoint Inspector. 
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Getting Support 


You can log in to MyCellebrite portal at https://community.cellebrite.com, which provides access 
to resources and support. 


e Keep your products updated. 

e Contact Support or review the knowledgebase. 
e Download user manuals and data sheets. 

e Manage your product licenses. 

e Get expert assistance. 


You can also send an email to technical support at support(dcellebrite.com. 


These technical publications are available for download. 


e Cellebrite Inspector Release Notes 

e Cellebrite Inspector Installation Guide 

e Cellebrite Inspector Quick Start Guide 

e Cellebrite Inspector User Guide 

e Cellebrite Inspector Portable Case Guide 
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Workspace Orientation 


This chapter provides these topics about the workspace in Cellebrite Inspector. 


e Case Manager Window 
e Case Info View 

e Case Window 

e Menu Bar 

e Toolbar 

e Component List 

e Details View 

e File Information Pane 
e File Content View 

e Managing List Views 

e Settings, Preferences, and Options 


Case Manager Window 


Before you launch Cellebrite Inspector, make sure there is enough storage space on the working 
hard drive to store case files. 


When Inspector is launched, the Inspector Case Manager window appears. Recent cases are 
listed in the Inspector Case Manager window. 


@ Inspector Case Manager — x 
File Edit Action Tags View Manage Window Help 


ot 
“ie A Digital intelli 
Kë Cellebrite SE Inspector 10.3 


| | Case Creation Date Modified Date 
| Bennet first.inspector paired 
o 


C:\\Users\heidi\cases\Bennet first.inspector 


Fa testtemplates.inspector postgres@ 127.0.01-20220 bbtbl_4b228795a68974349db7 2021-03-08 15:39:42 2021-03-08 15:48:10 
Wl :\users\heidivcases\testtemplates.inspector\ 


first.inspector postgres@12700_ 2021-03-03 1523:12 2021-03-08 155139 
© C:\Users\heidi\Documents\1 Product documentation\inspectorfirst.inspector\ 


Tech Pubs.inspector postgres@_ 2021-03-05 155741 2021-03-05 16:01:38 


ll c\Users\heiai\Documents\1Product documentation\Inspector\Tech Pubs.inspector\ 
| 


Second Inspector Case.inspector 2021-03-05 153523 2001-03-05 153745 
e C:\Users\heidi\Documents\1 Product documentation\Inspector\Second Inspector Case.inspector\ 


New... Open Other... Remove Cancel 


The Inspector Case Manager window shows a list of recently opened cases. To open a case file, 
select the case and click Open. To reopen a case after it has been removed from the recent case 
list, click Open Other, navigate to the case file, and then click Open. You can open a case located 
anywhere in the file system. 


e On Windows computers, double-click the case file in File Manager. 
e On Mac computers, double-click the case file in Finder. You can also drag a case file from 
Finder onto the Inspector Case Manager window to add it to the recent case list. 


To remove a recent case from the Inspector Case Manager window, select the case and click 
Remove or press DELETE. 
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If the Inspector license subscription is due to expire in less than 60 days, a notice appears near 
the top of the Inspector Case Manager window Indicating the number of days until expiration. 


If the subscription is not renewed, customers in the private sector can no longer use Inspector. 
Customers in law enforcement can continue to use Inspector after the expiration date, but 
software updates are no longer available. 


If you attempt to open a case file created using a previous version of Inspector, a prompt 
appears. Click Update to update the case file. The case file updates and case information remain 
intact, but it is always a good idea to back up case files before you update, as a precaution. 


Note: Some versions of Inspector do not support updati 


For more information, see Open a Case. 


Case Info View 


On the toolbar, click Case Info. The Examiner Information and Case Information fields appear 
where you can provide information about the examiner and the case, such as the case number 
and case synopsis. You can change this information any time during the examination. 


Examiner Information 


Name: | Technical Publications Organization: Where | Work 


Title: | Examiner, Analys Email: | sample@email.com 


Address: [Where | am 


Phone: | 800-555-1234 Fax: | 888-595-4321 


Case Information 


Number: | B1 


Name: | Bennet first 


Synopsis: [This is the synopsis 


Case Time Zone Display 


Time Zone: [UTC ~ Example: 2021-03-05 23:14:07 (UTO @ 


The Examiner Information fields retain the information you provide when you create your first 
case in Inspector; you don't need to provide this information each time you create a case. 


Because each case is unique, you must provide the case number, case name, and synopsis for 
each case in the Case Information fields. In the bottom left corner of the Case Info window, you 
may select a time zone in the Time Zone field. This determines the time zone used by evidence 

timestamps in the Case Window and in the examiner report. 


By default, Inspector displays timestamps as Coordinated Universal Time (UTC). Dates and times 
are displayed with the selected time zone appearing in parentheses, for example: 2009-12-19 
19:34:51 [PST]. Inspector makes automatic adjustments for daylight savings time shifts for 
different parts of the world. You don't need to make any manual changes. 
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Case Window 


The Case window contains these elements. 


Toolbar 

Component list 

Content pane 

View filter 

File Information pane [metadata] 
File Content view 

Status bar 


Tec! PS Dër NS 


Toolbar 


The toolbar is located at the top of the Case window and is used to select different views that 
display device data in the Content pane in various ways. Additionally, there are several Content 
pane sub-views. These sub-views are discussed in more detail later in this manual. 


By default, the toolbar shows large icons and text labels. You can customize the toolbar by 
opening the toolbar context menu [press CTRL and select, or right-click anywhere on the 
toolbar). 


The context menu for the toolbar has these options. 


Option Description 


Big Icons with Labels Default view with large icons and text labels 
Small Icons with Labels Small 16x16 pixel icons with labels 
Big Icons Large icons without labels 
Small Icons Small 16x16 pixel icons without labels 
Labels Only Shows text labels without icons 
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Component List 


When you add a device to a case, it Is listed in the Evidence section of the Component list. Select 
the disclosure triangle next to a device to view device partitions and carved files located in 
unallocated space. To add evidence to a case, to the right of Evidence click Add and select the 
evidence type. 


V EVIDENCE 
v @ E KreeseuSSFDesktop.£01 
Lon @ NTFS / exFAT (0x07)... 
B I Recovery 
B O pata 
v E Bennett-Computer-20052... 
BOF 
Li Racer - Data 
B fÐ Racer 
(= @ Bootcamp 
B © thes 


v ACTIVITY 


HB Evidence Status 


©» Export Status 


CONTENT SEARCHES 


INDEX SEARCHES | 


INVESTIGATIVE NOTES 


The Activity section of the Component list shows file export status and evidence status (data 
import and processing status). Progress indicators appear here for many Inspector user- 
initiated tasks. 


Search results and the search criteria used for saved searches appear in the Content Searches 
section of the Component list. An examiner may create several custom searches during an 
examination, save them, and later refer back to the results and settings for each at any time 
during an examination. 


Queries created for Smart Index appear in the Index Searches section of the Component list. An 
examiner may create and save multiple index queries during an examination, save them, and 
later refer back to the results at any time during an examination. 


Tags and tagged items appear in the Tags section of the Component list. Select a tag to view 
individually tagged items within the tag. The numeric badge to the right of each tag indicates how 
many tagged items are contained within the tag. 


Investigative Notes appear in the Investigative Notes section of the Component list. Investigative 
Notes can be added by at any time during an examination. 


For more information, see Component List. 
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File Information Pane 


Workspace Orientation 


Select a file and click the File Information pane to display metadata associated with that file. If the 


selected file is an image file, additional metadata is likely present. 


Field 
Main 


BlackLight ID: 


Evidence ID: 


File System ... 


Name: 

Path: 

Size: 

Size On Disk: 
Owner ID: 
Group ID: 
Permissions: 
Extension: 


Content Ext... 
Date Created: 
Date Modifi... 


Date Acces... 


Date Chang... 


Locked: 


Hidden: 

Fork Count: 
File System ... 
Location O... 
Extents: 


Physical Se... 


Logical Sect... 
Logical Clus... 


Value 


36903 

45 

8590668587 

flt4.gif 
/usr/share/doc/ntp/pic/flt4... 
3876 

3876 

0 

(0) 

292 

gif 

GIF 

2017-05-05 00:21:03 (U... 
2017-05-05 00:21:03 (U... 
2017-05-05 00:21:03 (U... 
2017-11-29 20:30:34 (???) 
No 


100640160 
100230520 
12528815 


The File Information pane displays extended attributes, hash values, date and time stamps, file 
paths, file size and EXIF, TIFF and location (GPS) data. Drag the dot at the top center of the File 
Information pane up or down to adjust the pane size. 


To hide and show the File Information pane, on the menu bar click View > Hide File Info or Show 


File Info. 
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Content Pane 


The Content pane displays data In various ways depending on which view option or Component 
list item you select. In the Component list, select which devices to view by marking the checkbox 
next to the name. From left to right, select each toolbar button to navigate through the different 
Inspector view options. In the Component list, from top to bottom, select Activity, Content 
Searches, Index Searches, and Tags to see how the Content pane displays each. 


Pictures B videos E Thumbnails Pr combined D Audio 


` e 
caneb65a0c9{53...8843  ¢6e98724c68011... 677 


= 


SC SEET Ee Vi EE EE dee 0332... 351e 


o9 
63734b5a07a10d... 3955 


e op d $ O O 
See d62c Sancta ea6t 7776b01a2b110c...8089 49b303154c3b7... 9e07 dácct344755afc..7360 GaßBeeaaßaefaea... déet 99deae7df82106.,. 625 23728b{db4est,,.2655 


` 


A numbered badge appears in each view representing the numbered evidence item from the 
Component list. 


An examiner works with the Content pane the majority of the time during forensic analysis. The 
Content pane displays data as a file list the majority of the time. 


View Filter 


The view filter exists in certain views such as the Media view. This filter allows for specific 
filtering of the data within the current view only. To see the view filter, click the Show/Hide Filter 
button. 


Match: | All 


Reset... E 
Any contains - 


If the filter is active (applied) the Show/Hide Filter button is green. 
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File Content View 


The File Content view has these main file viewing options. 


Hex 
Strings 
Preview 
Metadata 
Location 
Record 


In the Content pane, select a file. At the top of the File Content view, click Hex, Strings, and 
Preview to view the file as hexadecimal data, as character strings, and as a rendered preview, 
respectively. 


Sne Æ Strings ` Droen $Metadata ` $ Location ` A Record © Gtstok RB 


With a file selected, click Metadata in the File Content view. The metadata contents shown are 
identical to those displayed in the smaller File Information pane to the left, but you can enlarge 
the pane as much as you wish. 
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Metadata 
Hash Set Category: 
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Select any media file that contains geolocation (GPS) data [as indicated by a red placemark icon], 
or any applicable record in the Location view, then click Location in the File Content view to 
display one or more offline maps depicting the item's latitude and longitude coordinates. 
Inspector also has a button to optionally view the location in Google Maps [if connected to the 
Internet], and other geolocation information contained in the file’s metadata. 


nees £ Videos EE Thumbnails ` Er Combined JJ Audio E 


Sort: Men Sticky Select 
bd53729268f57.. Ae ` §380501a! SS „b304 11139c40bade34.,. 1534 S0d2c7316a64c... b029 Gcde8cea3f5428... dir cdfb269d8fc8e3...070b 2f6b3550fdf061e...6clc 6ecBB2e91513e.., eb2e 


abm ai i 


Sue Sange Preview $ Metadata ` $ Location A Record © ` Getstork RB 


Show on Google Maps. 


SEN 


feste) 


Bue 


OpenStreetMap buten 


Any selected file which exists on a filesystem that has a record system like HFS and NTFS 
(Catalog Tree, and MFT respectively], will display the file record. 


Sne Œ Strings Preview $ Metadata Location, Record Data Structure © || Data Fork 
0000: | |46 49 4C 4530 G0] 03 00[2C 19 40 39 00 00 00 00/03 00|01 ease mm 00]10 02 mmm SH 
EREECHEN mee am poas. | Size 
0058: [00 00/62 00 00 00] 00] 0/00 00]00 00] 00 00]48 oa 00 00]18 O0[0 oo]21 AE EB AE 14 96 DA CC SESCH 
EECHER | 
0116: | [00 00 oa 00[00 0 0 00/00 00 00 oaoa 00 00 00]89 07 00 00] 00 00/00 00 00 in Y MFT Header o a 
0145: [FO BA 03 00 00 00 00/30 00 00 00] 70 00 00 00/00/00] 00 00/00 0002 Se e i a 
0174: [01 0063 BC 01 00 00 00/03 00] 71 AE EB AE 14 HERR AE 14 96.04 01/21 AE ES j DEER AEA 
0203: [AE 14 96 D4 O1[21 AE ES AE 14 96 D4 01/00 00 00 00 00 00 0 00/00 00 00 00 00 00 00 00 | Update Seq... 48 42 
0232: [20 00 00 ooa 60 00 00] 08[03|41 00 72 00 63 00 G8 00 69 08 76 00 65 00 2E OO 7A 00 69 
0261: [00 70 00]80 00 0 00] 48 00 00 00[01]00]00 00/00 00/03 00[00 00 00 00 00 00 00 O0]iE 10 Fixup Byte... 3 e 2 
0290: [00 00 00 00 00 00] 40 0/00 00[00 00 00 aloo FO 01 01 00 00 00 oole E6 010100 00 00 age 8e.. 061954028 E A 
0319: [00]E2 E6 01 01 00 00 00 00|32 IF 10 F7 57 53 00 00[D0 G0 00 00] 20 00 60 00[00]00]00 00 
0348: [00 00[04 00] 08 00 00 00] 18 00[00 G0] GF oa 00 00 7C 00 G0 O0/EO 00 00 0o38 00 00 00/00 l] Sequence N... 3 w a2 
0377: [00100 00[00 oaas 00] 7C 00 00 00[18 00/00 00]40 G0 00 00 0A 16 1E OO 24 4B 45 52 4E 45 athe 
0406: [4C 2E 50 55 52 47 45 2E 45 53 42 43 41 43 48 45 00 1E 00 00 00 03 00 02 06 4F 27 55 F7 Fear EEO a 

:/|2C 96 D4 01 80 66 42 AS 70 73 D3 01 02 00 00 0 00 00 00 09 00 IC 00 00 00 00 19 18 0 Attribute Of... 66 2 2 

45 52 4E 45 AC 2E SO 55 52 47 45 2E 41 50 50 SB 46 49 43 41 43 48 45 00 4F 27 55 

96 D4 01 EO FO 8A 03 00 00 00 00 00 00 00 00 AB 00 00 00 oa 0/0 00 00 Od|FF FF| Flags 1 2 2 

82 79/47 11 FF FF FF FF 82 79 47 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 eer rr A 

0 00 00 00 00 0 00 00 80 G0 00 00 G0 00 60 GO 2 OB 00 40 0 GO 00 OD 00 0A 0O 

00 00 20 00 08 20 0 OA 00 GA 00 OA OA 0A 00 AA A OA 00 0A 0 AA AA OA OA 0A a0 Record Len... 1024 me 4 
EE Reference t.. 0 2 s 


Sector Offset: OxFFFFFFFFFFFFFE14 (492) Physical Sector: 0x80000000037974 (36028797019191664) Logical Sector: Ox7FFFFFFFF24974 (360287 


To adjust the size of the File Content view, at the top of the pane, click and drag the handle up or 
down. 


9 Location Æ Record 


i 00 opp 00/01 00/38 00/01 20/10 2 op 20/00) ed LL ww. A BLT | 


You can “tear off" the File Content view as a separate window so you can simultaneously see the 
file content in multiple windows. The tear-off handle appears as several short, vertical lines 
immediately above the Hex tab in the upper left of the File Content view. 


=: Hex GEI 


0000: E 49 AC 

aaa- | [AA AA AA 
Click the handle and drag it away in any direction. A new File Content view window appears. This 
new window can be placed on another monitor if multiple monitors are being used, and it can be 
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enlarged to the desired size. Additional tear-off File Content view windows can be created, and 
each one can be used to view different data if desired. For example, one window may show the 
Preview tab, while another shows Metadata, and a third reveals Location maps. When a file is 
selected within the original case window, such as in Browser view, all of the tear-off windows 
update to reflect information related to that file. There is no need to reconnect these tear-off 
windows to the original case window. Simply close each window when finished with it. Even 
though the File Content view can be hidden on the original case window, it is always there and 
never has to be reattached. 


For more information, see File Content View. 


The Status Bar 


The Status Bar shows selected data such as Content pane file counts and the pathnames of 
selected files pathnames. Some progress bars also appear in the Status Bar, 


Menu Bar 


The menu bar in Cellebrite Inspector is located at the top of the screen on a Mac computer and 
at the top of the application window on a Windows computer. The menu bar has these options. 


Option Mac | Windows 
Inspector 
File 

Edit 
Action 
Tags 


Classifications 


View 


Manage 
Window 


| | eR el el SS 
SCHEER |) Se el 
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Inspector Menu 


The Inspector menu is available only on Mac computers. 


In the menu bar, click Inspector, and then click the appropriate action. 


Option Description 


About Open the About Inspector window, which shows the version, build, dongle ID 
Inspector (serial number], and expiration for Inspector as well as contact information. 
Check for Check for a newer version of Inspector 
Updates 
Preferences Open the Inspector preferences window. 

For more information, see Inspector Preferences or Options. 
Services Open System Preferences Keyboard shortcut service 


Hide Inspector 


Hide the Inspector application window 


Hide Others 


Hide all other application windows except Inspector 


Show All 


Show all application windows 


Quit Inspector 


Stop and exit the application 


2 Cellebrite 
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About Inspector 


The About Inspector option opens the About Inspector window, which shows dongle ID and 
license expiration. 


Please have the Dongle ID ready when contacting Cellebrite Technical Support or your sales 
representative. The expiration date shown is the date when the Inspector License Subscription 
contract ends. 


Inspector continues to function after the expiration date, but software updates are no longer 
available. 


Ki About Inspector 


Inspector + 


Version: 10.3 

Build: 20210310.000558-99b0e44 
Dongle ID: BBT0072772216 

Expiration: 2022-03-11 


Platform: macOS 10.15.7 
eee 
H Digital intelli 
Se Cellebrite voie gi 


Company Cellebrite 
Web Page community.cellebrite.com 


Sales and Support support@cellebrite.com 
Copyright © 2010-2021 Cellebrite. All Rights Reserved. 


Check for Updates 


The Check for Updates option is available if the analysis computer has an Internet connection. 
Select this option to see if new updates are available. A web browser opens to the 
https://www.community.cellebrite.com/s/support, where you can log in and navigate to the 
Inspector software downloads page. 
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File Menu 


Select the File menu and choose the appropriate submenu option to create a new case, open an 
existing case, or add evidence such as disk images, devices, and folders to a case. 


The File menu contains these items. 


Option Description 


New Case Create a new Inspector case 

Open Case Open an existing case 

Open Recent List recently opened cases 

Close Close the current case 

Add Evidence Add evidence to the case 

Add Selected Add selected evidence [such as a selected disk image] to the case 
Create Case Create an archive of a case from the Case Manager window for transfer 
Archive between Mac and Windows platforms 

Restore Case Import a case archive into a new casefile 

Archive 

Save Case Save customized case settings (tags, file filter, search, and evidence 
Template import settings) as a processor template 

Import Case Import a case template containing customized case settings and apply it 
Template to a new case 

Export Case Export a case template (for other examiners to use] 

Template 

Exit Close and exit Inspector 

(Only on 

Windows} 


Create Case Archive 


To move a casefile between computers with different platforms, such as one created on a Mac 
computer to a computer running Windows (or vice-versa), a case archive must be created, which 
can then be transferred between the two computers. A case archive can also be used to import a 
case file into a version of Inspector that does not support upgrading case files from previous 
versions of Inspector. 


To create the case archive, navigate to the Case Manager window, click File > Create Case Archive. 
A Save window appears, allowing the examiner to choose where to save the archive. The archive 
is comprised of a folder containing a bl-casedata text file and a partitions.zip archive. When 
transferring the archive between computers, the folder and its contents must be copied. 
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Restore Case Archive 
To open a case archive, the archive must be imported into a new casefile. 


To import the archive folder, navigate to the Case Manager window, click File > Restore Case 
Archive. An Open window appears. Within this window, select the archive folder containing the 
bl-casedata text file and partitions. zip file, and then select the Open button. 


Save Case Template 


Customized Inspector case settings such as tags [empty], file filters, saved searches, and 
evidence processing options can be saved to a template and used in subsequent cases. 


To save the current settings as a template, click File > Save Case Template. The Save Case 
Template window appears, where you can choose which settings to include in the template. 


@ Save Case Template wm x 


A Case Template provides default settings for new case files. Select the 
items to be mirrored when creating a new case. 


Tags (Empty tags will exist with the same names) 
File Filters 
Saved Searches 


Edit Processor Templates... 


Cancel 
bo 
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Click Edit Processor Templates. The Add Evidence window appears, with no evidence shown. 
Choose the processing options to save, then in the field below all the processing options, type 
the name for the processor template, and then click Add. 


Add Evidence 


Processing Options: 
OPreview OTiage CO Comprehensive dih 


[ Extract Data 
DB Recovery 
EZ File Signature Analysis 
[Picture Analysis 
[E] Video Analysis 
[Process Archives 
[Process OCR Image Text 


C Calculate Hashes 


[File Carving 
(File System Journal Analysis 


EZ Spotlight Parsing 


EZ OS Event / Security Logs 


[ Hiberfil.sys / Pagefile.sys 
Quick Scan 


C Calculate File Entropy 


Manage Passwords... 


The new processor template is added to the Saved Templates list. To delete a processor 
template, select it in the Saved Templates list and click Delete. When finished, click Save. Then 
click Save in the Add Evidence window. 


For more information, see Adding Evidence to a Case. 


For using a saved case template (for example a template with saved tags, file filters, and saved 
searches}, you need only create a new case. The saved settings are automatically reflected by 
default in the new case, even if the Inspector application was restarted since the settings were 
saved. 


Export Case Template and Import Case Template 


To share a template with other examiners, the template must be exported {as opposed to using 
the Save Case Template option). Likewise, to save multiple case templates, export each one by 
clicking File > Export Case Template. To finish the export process, type the name of the template, 
choose the save location, and then click Save. 


To import a case template, click File > Import Case Template, select the appropriate template, and 
then click Open. 
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Edit Menu 


The Edit menu includes typical cut, copy, paste, undo, redo, and find submenu options. 


In the Search Results view (such as when an item is selected in the Content Searches section of 
the Component list), the Edit menu includes the Delete Search (search name] option. 


In the Tags view [such as when an item is selected in the Tags section of the Component list), the 
Edit menu includes the Delete Tag {tag name] option. 


On the Windows platform, the Edit menu includes Options, which is identical to Inspector > 
Preferences on the Mac platform. For more information, see Inspector Preferences or Options. 


Action Menu 
The Action menu includes several options for handling evidence. 


Option | Description 


Save File Listing Save attributes from the selected file(s], such as date stamps, paths, 
extensions and File IDs, to a text file 


Copy Path Copy the selected file's path to the clipboard 


Quick Look {Mac only] | Preview the selected file without launching its application 


Find Identical Files List all files with identical hashes to the selected file(s] 


File History Display a File History window for files with variants parsed from 
Windows Volume Shadow Copies 


Disk Imaging Acquire full disk or logical images of attached drives. 
Export Open a sub-menu for exporting information from Inspector 
Reveal Open a sub-menu for revealing data 

Save File Listing 


The Save File Listing menu option saves attributes for the selected files [such as date stamps, 
paths, extensions, and unique IDs) to a text file. When you click Save File Listing, the Save dialog 
box appears. Select the location where the new case should be saved, and then click Save. 


By default, Inspector File Listings are saved as .asc files, which may be opened by a text editor or 
spreadsheet application. 


Copy Path 


The Copy Path menu option is only available when a file is highlighted. This feature copies the 
selected file’s path to the clipboard. The Copy Path option is useful when using the Search 
feature in the Contain Search to area. Simply copy the path into the search path text field. 
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Quick Look 


The Quick Look menu option is available only on Mac computers. It opens selected file using the 
Apple Quick Look framework. Quick Look renders the selected file in its native view if there is an 
appropriate Quick Look plug-in, or the file's native application is installed on the examiner's 
analysis machine. 


Highlight a file and press SPACEBAR to activate the Quick Look feature via keyboard shortcut. 
Find Identical Files 


To locate files with the same hash value as a specific file {identical files], select a file in the 
Content pane, then click Find Identical Files. Inspector automatically switches to the File Filter 
view and applies the List All Files and File Hash | is | <hash value> filter options. Files with the 
same hash value appear in the Content pane. 


Loge ES E [ssecaserceener0eronaanaoaiBee 


Invert Filter Ignore Folders and Duplicate Files e See 


D ID Name Size DCH Date Created Date Modified Date Ae Date Adder 
@ 781012 417941 photot-1jpg 40.5 KB 4B803567CEBDSIDEBFOABAASOAIBBAIF 2010-03-10 16:22:01 (UTC) 2010-03-10 16:22:01 (UTC) 2015-06-11 23:33:07 (UTC) 2015-06-1" 
7 830396 402618 photol-1.jpg 40.5 KB 4B803567CEBDSIDEBFOABAAAO41BBAIF 2010-03-10 16:22:01 (UTC) 2010-03-10 16:22:01 (UTC) 2018-12-14 13:55:03 (UTC) 2015-06-1" 


File History 


The File History menu option is available only when files from a Windows volume with Volume 
Shadow Copy variants are selected or highlighted. When a file is selected and the File History 
menu option is chosen, a File History window appears. 


For more information, see Browser View. 
Disk Imaging 


The Disk Imaging menu option acquires full disk or logical images of attached drives. These 
drives must be write-blocked with either software- or hardware-based write blockers. The 
Image Device dialog box shows only the options appropriate for the selected image type. 


For more information, see Image and Ingest an Attached Drive. 
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Export Menu 


The Export menu option is used to export selected or highlighted files. The Export menu opens a 
sub-menu with several export options. 


Option Description 


Export Selected Export {copy} the selected file(s) to an external folder 

Files 

Export Selected Export the selected file(s] to a Logical Evidence File maintaining 

Files As L01 metadata and folder structure 

Export for Legal Export responsive files while preserving important metadata 

Review 

Export Hash Set Export hash values for all selected files as an Inspector hash set 
(Inspector hash sets can be saved and imported into other Inspector 
cases) 

Export Data Model Export selected files to the chosen data model format 


Export Case Data As | Export case data (all evidence items or a selected evidence item) to an 
XML XML file 


Export Selected Export selected database rows from the active case to a tab-delimited 

Rows or CSV file 

Export Selection Export a highlighted selection as either raw, formatted data, or as 
simple hex 

Export Selected Export GPS metadata from selected files to a KMZ or KML file (Google 

Location Data As Earth placemark file] 

Export Password Export a .TXT file with one word on each line, without duplicates. 

Key List 


These export options have additional sub-menus. 


Export Selected Files 
These are the options in the Export Selected Files menu. 


e Files Only 
e Folder Structure 
e Folder Structure [from root] 


The Files Only option exports only the selected files. If a folder is selected, the files within the 
folder will be exported, but the folder will not be exported. The files from the folder will be placed 
in the directory chosen for export along with any other files selected for export. If files are 
selected from more than one device or volume, they will all be placed in the same export folder. 
Refer to the Volume Name or Volume ID in the _BBTExportLog.txt to determine on which device 
or volume the files were originally located. 
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The Folder Structure option exports selected files and folders. When folders are selected, the 
folders and the files within the folder will be placed in the directory chosen for export along with 
any other files selected for export. If files are selected from more than one device or volume, a 
folder will be created in the export directory named with the number badge shown in the 
Component list, underscore, device or volume name. The files and folders exported from each 
device or volume will be placed in the corresponding folder. 


The Folder Structure (from root) option exports the selected files and folders, maintaining the 
folder structure from the root of the device. If files are selected from more than one device or 
volume, a folder will be created in the export directory named with the number badge shown in 
the Component list, underscore, device or volume name. The folder structure from the root of 
the device or volume will be created in the corresponding export directory containing the files 
and folders selected for export. 


Export Selected Files As L01 


The Export Selected Files As L01 menu option is available only when files are selected or 
highlighted. When a file is selected and you choose the Export Selected Files As L01 option, you can 
select or create a destination folder and provide a name for the Logical Evidence File. 


Export For Legal Review 


Click Export for Legal Review menu item to export selected files in a format suitable for loading 
into an electronic discovery review platform. From any file list, select the files to export and 
choose Export for Legal Review. The Export Files for E-Discovery dialog box appears. In the Load 
File Format field, select the appropriate load file type. Type the custodian ID, custodian name, 
and a case name into the corresponding text fields. 


Cases can be exported to an Inspector Load File, a tab-delimited file, or a Concordance load file. 
Options are also available in the Export Files for E-Discovery dialog to add a prefix to the 
collection folder name and the files. The folder name is a combination of the Folder Prefix and 
the Case Name. 


Export Files for E-Discovery 


Load File Format: Inspector Load File 


Custodian Name: Smith 


Case Name: |0001 


B CAPTUREOO01/ 
DOCUMENT000000001 
Folder File 
Prefix: [CAPTURE | Prefix: DOCUMENT 
Starting ID: |1 Starting ID: 1 


Length: 4 Length: 9 


Files Per: 5000 


Add missing file extensions (file typing required) 


Ignore .DS_Store files 


Cancel Save 
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Files in the capture are named using the File Prefix. There are also options to Add missing file 
extension (file typing required) and to Ignore .DS_Store files. 
Export Files for E-Discovery 


Load File Format: Inspector Load File 


Custodian Name: Smith 


Case Name: 0001 


B CAPTUREOO01/ 


DOCUMENTO000000001 
Folder File 
Prefix: CAPTURE Prefix: 


Starting ID: 1 Starting ID: 1 
Length: 4 Length: 9 


Files Per: 5000 


Add missing file extensions (file typing required) 


Ignore DS Store files 


Cancel Save 


When settings are complete, click Export. A load file containing the selected files and information 
about the files [metadata] is generated. Once files are exported to a destination folder, if an 
attempt to create a second export in that folder is made Inspector provides a warning. The 
warning is an effort to prevent overwriting previous exports. 


Export Hash Set 


Custom Inspector hash sets (.blhs] may be saved and imported into other Inspector cases. To 
generate a hash set from specific files in any Inspector view, select the files and click Export Hash 
Set. The Hash Set Export dialog box appears, presenting the three hash types: MD5, SHA-1, and 
SHA-256. Mark the hash types to include in the hash set, and then click Continue. In the Hash Set 
Save Location dialog box, click Save. The custom Inspector hash set is generated and saved. 


To generate a hash set of every file in a case, in the Browser view, select the root folder [at the 
top of the file list) and choose the Export Hash Set menu option. 


By default, hash sets are saved in the /Cellebrite/Inspector/Hash Sets folder. This folder is found 
in these locations. 


e macOS: User/Library/Application Support/Cellebrite/Inspector/Hash Sets 
e Windows: \user\AppData\Roaming\Cellebrite\Inspector\Hash Sets 


You may also import existing custom Inspector (.blhs), EnCase {6.19 and lower], and NSRL hash 
sets, as well as hash sets saved as plain text documents. For more information, see Hash Set 
and File Signature DB Management. 


Export Data Model 


The Export Data Model menu option is used to export images, videos, and thumbnails in a specific 
data model format. Data models for pictures and videos can be exported to LACE, C4ALL, 
Project VIC, and Semantics21 formats. When exported, these data models can be ingested into 
their respective utilities for further processing. 
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Before exporting the data models, Inspector must have completed these processes. 


e Hashes 
e Filetypes 
e Pictures and/or Videos 


The data model formats available are displayed in the sub-menu of are three options in the 
Export Data Model: 


e Project VIC Version 1.1 

e Project VIC Version 1.2 

e Project VIC Version 1.3 

e Project VIC Version 2.0 

e BlueBear LACE 

e C4ALL (For more information, see C4AlL. 
e S21 


To export to a given data model, select the files of interest. From the Action menu or the right- 
click contextual menu, choose Export Data Model followed by the preferred data model. A window 
appears where you can specify a destination folder. Once the folder is selected click Export. 


Select a folder to save exported files to. 


B Export_Data_Model ba 


A 
H 
H 
g 


New Folder Cancel | Export | 


Export Case Data As XML 


To export casefile data to an XML file, click the Export Case Data As XML option, and choose either 
All Evidence Items or Selected Evidence Item. This will generate an XML file containing all of the 
normalized data from the casefile for either all evidence items or the currently selected evidence 
item. 


All normalized data from a Inspector casefile can be exported into a single XML file for ingestion 
into another utility that supports Inspector's XML format. Casefiles containing multiple pieces of 
evidence can export XML data for individual evidence items or for all evidence items. 


Export Selected Rows 


The Export Selected Rows menu option is available from any view that displays data as a file list. 
This option may be used to export selected entries to either a TSV file, a Comma Separated 
Values (CSV) file, or logical evidence file {L01} depending on examiner preference. You can 
access this menu option from the Action menu or by opening the context menu for the selected 
rows. 
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Export Selection 


To export a Hex snippet from the File Content view as raw data, formatted data, or hex, at the top 
of the File Content view, click Hex and click the Export Selection option. You can also open the 
context menu for the selected hex string and click Export Selection. 


eee E inspector Case inspector 


¥ BB Kreeseussroesitop.eor | Name Date Created Date Modified Date Accessed Date Added Version index Size Extension D 


DEEN Lat 2018-04-11 21:04:33 (UTC) 2019-01-25 16:08:40 (UTC) 2019-01-25 18:19:55 (UTC) = 
2018-12-17 17:05:46 (UTC) 2018-12-17 1705'46 (UTC) 2018-12-17 17:05:46 (UTC) zem 
2016-12-17 17:05:46 (UTC) 2018-12-17 17:05:46 (UTC) 2018-12-17 17:08:46 (UTC) EECH 
2018-12-17 17:05:46 (UTC) 2018-12-17 17:05:46 (UTC) 2018-12-17 17:08:46 (UTC) BO? 
EH DI? 


2018-12-17 17:05:46 (UTC) 2018-12-17 17:05:46 (UTC) 2018-12-17 17:05:46 (UTC) = 
2018-12-17 17:05:46 (UTC) 2018-12-17 17:05:46 (UTC) 2018-12-17 17:05:46 (UTC) 640m8 


E Ø soorcaue ser 2018-42-17 17:05:46 (UTC) 2018-12-17 17:05:46 (UTC) 2018-12-17 17:05:46 (UTC) ETH 
Sum 2018-12-17 17:05:48 (UTC) 2018-12-17 17:05:46 (UTC) 2018-12-17 17:05:46 (UTC) soke 


v activity 


Mi Evidence Status 
See Ee A Record Data Structure E © Gaston RB 
$ bport status — SE 
5 Element val Posi.. | size 
Taos Y MET RECORD © wes 
Y MET Header o mw 
CONTENT SEARCHES signature FALE a a 
Update zen 48 a 
INDEX SEARCHES up Byte Pairs 3 ee 
Fi 1298166462 a s 
investigative Notes EI Tag Hex Data Ae ta 
t GI > | Export for Legal Review... f nd 2 
Apply Template Export Hash Set... H e 2 
EE sre} Export Data Model Attribute Offset 56 ma 2 
8 09 00 50-00 00 09 Export Case Data As XML 
` kee fope Flags H 2 2 
82 08 10 20 0 00 00 Used Record 4 SES 
Field Value EE EE oala ba aa S| iz 2 
28 09 00 00 ee oa 09 Record Length 1024 a a 
ern 537 bach SÉ 
Fsystom.. 0 28 09 00 £0 0 00 00 
28 09 00 00 2e 00 09 a az 
Name: smeT Selen 
Path: mer 90 00 00/00 20 09 09 ett 
22 09 00 20 ee oa 00 “o a 
Size: 168558592 22 00 00 oo 0 00 00 
28 09 o0 0o 00 00 00 a a 


SizeonDisk: 168583176 


20210310.000558-99b0e44 (1 of 30) - [NTFS/ exFAT (0x07) (No Volume Label)/SMFT 


Export Selected Location Data As 


Files containing GPS information can be selected, exported to a .kmz or .kml file, and mapped 
with the Google Earth application. 


1. Select file(s] containing GPS data, click Action > Export Selected Location Data As, and then 
choose either KMZ or KML format. 

2. Inthe Export dialog box, type a file name and choose or create a destination folder, and then 
click Export. 
Inspector exports the GPS data to a .kmz or .kml file in the destination folder. 

3. Open the .kmz or .kml file in Google Earth. 
Google Earth displays a pushpin for each file. Each pushpin is also listed in the Google Earth 
sidebar Places section. 


To see an applied .kmz/.kml file usage example, see Locating Live Victims. 


Export Password Key List 


Export a .TXT file with one word on each line, without duplicates. This .TXT file supports creating 
custom dictionary files with password candidates for use in investigations by providing key 
material for use by third-party software, such as Passware Kit Forensic. 


de 
2 
3. 
4. 


Run indexing in Inspector for the appropriate volumes. 
When indexing is complete, select the volumes to export. 
Click Action > Export > Export Password Key List. 

Specify the destination and filename for the exported .txt file. 
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5. To see progress, in the Component list click Export / Imaging Status under Activity. 


5 EVIDENCE 
ET i 
H e @ racer - Data 


Details Destination Progress Status 


CAUsers\heid\ Desktop\PasswordKeylist tt Exporting 


= activiry 


BR Evidence Status 


Field Value 


For the password export in progress, you can see the destination you specified, the duration of 
the export, and the status. 


During export, you can pause or delete the action. 


e To pause an export in progress, click Exporting and then click Pause. 
To resume a paused export, click Paused and then click Resume. 
e To delete the export in progress, click Exporting and then click Delete Item. 


When the export is complete, the status becomes Finished. 


You can find the exported .TXT file in the destination you specified. This is an example. 


J) PasswordKeyListtxt - Notepad - [m] x 


File Edit Format View Help 
fp /m68z jaG8LPkw3IdN3GkMo13c= a 
ZGntA(/iL3h9 

novass 


lers2212 
Dehcwxd*t1 
temporalee355 
spuk9136 

10H45 : DquW3q3L8R 
3Eugnjan@ysgPn 
1969BossMustang 


booty61*Siva 
* 


o 
oa 

200 

2000 

2000 

200000 
200000 
00000000 
eeeeeovee 
2820200000 
20000000000 
eeeeee0ee000 
2020200000000 


Note: It may take some time to open the .IXT file if it is very large. 


For images ingested from Mac OSX 10.x through Mojave 10.14.3 and from iOS 9.x through 12.x, 
Inspector can also export password hashes, custom dictionary entries, passwords saved in 
browsers (Safari, Opera Google Chrome, and so forth], and keychain files. 
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Reveal 


Option Description 


Reveal File On Disk | Export the selected file[s) from the current case and reveal the new 
location in the Finder or system browser 
Reveal File in File Reveal the file location within the Inspector Browser 
Browser 
Quick Look (Mac Reveal the file location within the Inspector Disk View 
only] 
Reveal File On Disk 


The Reveal File On Disk menu option exports (copies) the selected file(s) from the current case 
and reveals the new location in Finder or File Explorer. In the confirmation dialog box, click View 
File(s), and then select a destination folder. Click Export to export the files to the selected 
destination folder. A Finder or File Explorer window opens to reveal the location of the exported 
files. 


Reveal File in File Browser 


The Reveal File in File Browser menu option reveals a file’s location within the Inspector Browser 
view. This feature is extremely useful. Select a file in the Inspector File Filter or Search view and 
then select Reveal File in Browser. Inspector switches to Browser view and displays the file in its 

actual location within the file system. 


Reveal File in Disk View 


The Reveal File in Disk View menu option reveals a file's location within the Inspector Disk View. 
Select a file in the Inspector Browser or File Filter view and then select Reveal File In Disk View. 
Inspector switches to Details view, with the Disk View tab selected, and displays the file in that 
view. 


Tags Menu 


The Tags menu contains options to help you manage meaningful evidence within a case. Tagged 
evidence is easily located and can be incorporated into the examiner's report at any time during 
the forensic examination. 


Option Description 


Delete Selected Tag Removes the selected tag from the case. 


All tags associated with the tag are also removed. 


Tag <Type of Items> As Adds the selected items to a new or existing tag. 
Remove <Type of Item> From Tag Removes the selected items from all tags or specified 
Group tags. 
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Delete Selected Tag 


This menu option is available when a tag is selected in the Tags section of the Inspector Case 
window. 


Tag <Type of Items> As 
This menu option lets you add selected objects to either a new tag or an existing tag. This name 


of this menu option changes depending on the context and on the objects that are selected. 


e When a file or multiple files are selected the name is Tag File As. 
e Inthe Actionable Intel tab, if Trash Items are selected the name is Tag Trash Items As. 
e Inthe Actionable Intel tab, if User Accounts are selected the name is Tag User Accounts As. 


Existing tags appear in the Tag <Type of Items> As menu along with their shortcut keys. 


Option Description 


New Create a new tag for the selected item. 

Tag 

Tag 1 Existing tag named Tag 1. Inspector automatically assigns the shortcut 1 to the first 
existing tag. 

Tag 2 Existing tag named Tag 2. Inspector automatically assigns the shortcut 2 to the 
second existing tag. 


For more information, see Tags. 
Remove <Type of Items> From Tag Group 


This menu option allows you to remove tagged items from all tags or a specific tag. This option is 
available when tagged items are selected in any view within Inspector. 


W: = I n (ei E, eae deich i el | 
Option Description 


All Evidence If selected items are listed in more than one tag, choosing this will remove 
Tags the items from all tags. 


<Tag Name 1> | Name of the first tag selected items are tagged in. 


<Tag Name 2> | Name of the second tag selected items are tagged In. 


When the selected items are tagged in multiple tags, all of the tags are listed. 
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Classification Menu 


The Classification menu provides these options. 


Option Description 


Classify Item As Apply a classification to the selected item. 


Remove Classification from Item Remove a classification from the selected item. 


For more information, see Classification. 


View Menu 


The View menu provides these options. 


Option Description 


Adjust List Columns | Choose which columns are visible in the list views, and change the 
order in which columns are displayed 


Hide File Info/ Show | Hide or show the File Information pane, which provides metadata 
File Info 


Adjust List Columns 


To change the visible columns settings, click View > Adjust List Columns. You can show or hide 
each item in the list marking or unmarking its checkbox. You can also reorder items in this list 
by dragging and dropping each item in the list to the appropriate order. When you have finished 
making changes, click Apply Changes. The columns now appear in the specified order. 


To return columns to the way they were displayed by default, click View > Adjust List Columns. 
Click Reset List to Defaults, then click Apply Changes. 


Note: Column options vary depending on which view is selected, and Inspector applies column 
option settings to each view independently. 


Hide/Show File Info 


To hide or show the File Information pane, click View > Hide File Info or Show File Info. 
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Manage Menu 


Use the Manage menu to manage hash sets, file signatures, plugins, C4ALl, SEMANTICS21, and 
passwords. 


Option | Description Mac | Windows 
File Open the File Signature Management window V v 
Signatures 

Hash Sets Open the Manage Hash Sets window V v 
Plugins Open the Manage Plugins window V v 
C4ALL Open the Manage CAAIL window vV v 
S21 Open the Manage S21 window JV v 
Drive Maps to a volume letter of your choice, thus avoiding the V 
Mappings file path character limit of Windows 

Passwords Open the Passwords window V vV 
Classifications | Open the Classifications window. 


For more information, see Hash Set and File Signature DB Management. 


Window Menu 
Use the Window menu to manage your case windows. 


You may find it useful to see two or more current case views simultaneously, such as tagged 
items within a tag and the examiner report. 


Option Description 


Cases Window Open the Inspector Case Manager window 

Minimize Minimize the current Inspector window 

Zoom Adjust current Inspector window size 

New Window For This Open another Inspector window for the same case 

Case 

Hide Toolbar and Hide or show the Inspector toolbar, Component list and File 
Sidebar Information pane 


Open cases and multiple case windows appear as submenus in the Window menu. To bring a 
case to the front, click Window and select an open case. 
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Use the Help menu to get help, provide feedback, get technical support, and quickly access the 
Cellebrite website. 


Option Description 


Cellebrite Open the Cellebrite home page in a web browser 

Website 

Inspector Send an email to Cellebrite to provide feedback about Inspector 

Feedback 

Technical Open the technical support page on the Cellebrite website in a web browser 

Support 

Update Open the Update Dongle window, where you find and select the license file for 

Dongle your Inspector device and click Update. The license filename uses this pattern: 

License bbtlicense_<serialNumber>, where <serialNumber> is the serial number for 
your Inspector device. 

Enter Used for demonstration purposes with cooperation from Cellebrite sales. 

License Key | |f an Inspector device [dongle] is connected to the computer, this option does 
not open the window. 

About Open the About Inspector window, which shows the version, build, dongle ID 

Inspector (serial number}, and expiration for Inspector as well as contact information. 

(Only on 

Windows} 

Check for Check for a newer version of Inspector 

Updates 

(Only on 

Windows} 
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The toolbar provides access to Information about a case, details about the evidence in a case, 
report features, the Inspector portable case feature, analysis tabs, and notifications from 


Inspector. 


@ 


Description 


Opens the Case Manager window. 


For more information, see Case Manager Window. 


ai 


Case Info 


Click Case Info to see details about the case, including Examiner Information, 
Case Information and Case Time Zone Display. 


For more information, see Case Info View. 


Details 


Click Details to see details about the selected device or partition and an 
interactive graphical representation of device contents. 


For more information, see Details View. 


Click Report to see, edit, and generate the examiner report. 


For more information, see Reporting. 


B 
Report 
Th 


A 


Timeline 


Click Timeline to open the Timeline view. 


For more information, see Timeline View. 


Click Share to share the examiner report using the Portable Case feature. 


For more information, see Portable Cases. 


Click Browser to see a view to navigate manually through the file structure on 
the device, similar to Finder on Mac computers or File Explorer on Windows 
computers. 


For more information, see Browser View. 


Click File Filter to quickly isolate specific files by kind or attribute. 


For more information, see File Filters. 


Click Actionable Intel to see sub-views pertaining to the user's program 
execution [including Windows jump lists), device connections, device backups, 
account usage, file downloads, file knowledge [like recent items, Windows link 
files, and trash], passwords (Apple keychains), and searches. 


For more information, see Actionable Intel View. 


d Cellebrite 
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Description 


& 


Communicatior 


Click Communication to see sub-views containing calls, messages, posts, 
voicemail, voice memos, favorites, contacts, and email. This includes data 
parsed from SMS, iMessage, and messages from other communication apps 
such as Skype, WhatsApp, Textfree, Kik, and so forth. 


For more information, see Communication View. 


Click Media to see and sort all pictures and video files located on devices, in 
folders, or recovered from unallocated space in Gallery view. Audio files may 
also be found in the Media view. 


For more information, see Media View. 


Click Locations to see data parsed from maps applications, files containing 
location data, Wi-Fi networks, and location services data. 


For more information, see Locations View. 


Click Internet to see internet history and cache information for Safari, Firefox, 
Chrome, Internet Explorer, and Edge browsers. 


For more information, see Internet View. 


Click Productivity to see data from the Calendar and Notes applications {macOS 
and iOS}. 


For more information, see Productivity View. 


Click System to see specific system files [including Windows registry items], 
data from Spotlight [macOS], data from a device's dynamic dictionary database, 
information about installed applications (includes profile information for 
installed social media apps), data from system logs, and memory parsed from 
memory files or Windows hibernation files. 


For more information, see System View. 


Click Plugins to see data parsed by any Inspector plugins for the selected 
devices. Inspector supports Apple Pattern of Life Lazy Output'er (APOLLO), a 
python script used to query data from iOS databases. 


For more information, see Plugins View. 


Click Notifications to see notifications and copy their text and dismiss them. A 
badge indicates the number of unread notifications. 
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Button Description 


Tir Ht 


Show/Hide Filter appears just below Notifications, and only for views that allow 
you to filter data directly. 


The arrows are green when a filter is applied in the current view 


For more information, see File Filters and Filtering within Specific Views. 


Component List 


The Component list includes these sections. 


Evidence 

Activity 

Content Searches 
Index Searches 
Tags 

Investigative Notes 


These sections are always present in the Component list; however, items listed under each 
Component list section change according to user actions and evidence added or deleted. 


V EVIDENCE 
v E KreeseUSSFDesktop.E01 
g NTFS / exFAT (0x07)... 
B Recovery 
La DATA 


v E Bennett-Computer-20052... 


D O EFI 

E Racer - Data 
ken O Racer 

en © BOOTCAMP 


D © thes 


v ACTIVITY 


E Evidence Status 


=» Export Status 
TAGS 
CONTENT SEARCHES 
INDEX SEARCHES 


INVESTIGATIVE NOTES | 
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Evidence 


In the Evidence section of the Component list, you can see a hierarchical device list. When you 
acquire a device, the new device is added to this list. A hard drive icon represents data imported 
from a disk image. Mobile device icons display according to the type of source device type (such 
as Android, iPhone, iPad, or iPod). In the Evidence section of the Component list, select a disk 
image. The disk image partitions and partitions containing carved files in unallocated space are 
shown. When multiple pieces of evidence have been added to a case file, you can reorder 
evidence items by highlighting a specific item and dragging it up or down in the list. 


In the Component list to the right of Evidence, click Add to add another item to the case. To 
remove an item from the case, open the context menu and click Remove <Name> from Case. 


To show or hide the Component list and File Information pane, click Window > Hide Toolbar and 
Sidebar. 

Each evidence item is associated with a colored badge number. The numbering is sequential and 
is assigned by Inspector upon the Initial evidence ingestion. When an image that contains 
multiple volumes is added to Inspector, those volumes appear in the component pane with 
sequentially numbered badges. The image container itself is not numbered. 
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To see any data from a specific item within any Inspector view, mark the checkbox next to the 


appropriate volume. If the checkbox is not marked, that particular item will not appear in any 
view. The exception to this is the Details view, where each volume added to Inspector can be 


selected in the Details For field. 
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All the other views show data from the selected items. The Browser view shows the hierarchy of 


each volume along with the numbered badge an 


© second case.inspector 
File Edt Action Tags View Manage Window Help 


en 


E EVIDENCE 


d the volume label. 


Name 


= GID 20CTCAMP (Active) 
a DOE Ok vse 1) 


t- Data (Soap 2) 
t- Data (Snap 3) 
Data (Soop) A) E 
Soa 
omon 


O M © Er (Carved Files) 
OB O neen 

D Gigi seenen 
ogewm 

O BE focer 


@ Gl Spotlight-v100 
a own a 


View In External Application 


Reveal File On Disk 


E B PKinstalSandboxManager-Systems. 


Hex =Æ Strings Preview Æ Metadata Location 


Date Created Date Modified Date Accessed Date Added Version Index 
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247 (UTC) 
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Likewise, the File Filter view shows the numbered badge in the first column for each 
corresponding item. All views within Inspector work this way. 


If a volume is removed or added, badge numbering does not change to reflect the addition or 
removal. Any subsequently added volumes continue to be numbered incrementally. 
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Activity 
The Activity section of the Component list includes these categories. 


e Export Status 
e Evidence Status 


Export Status 


In the Activity section of the Component list, click Export Status. File export progress indicators 
are displayed here. A numerical badge next to Export Status indicates how many files are 
currently exporting. Completed exports are also listed. 


To clear the Export Status list, in the bottom left corner of the of the Content pane, click Clear 
List. 


Evidence Status 


In the Activity section of the Component list, click Evidence Status to see the status of device 
acquisition and data processing, and to perform additional data processing on a device. 


Each evidence item has its own area. All processing options are shown for the item with the 
status of each. File processing options may be activated at any time during an examination. To 
start a process that has not yet begun, click Run for that process. 


You may run the Known Files and the File Carving processes multiple times. Click Run next to 
Known Files to calculate hash values again. Click Rerun in the File Carving column to locate and 
select additional file types in unallocated space. 
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These are the available processing options. 


Name Description 


Parsing Analyzes the file system and file paths 


Extract Data Processes data to populate data in Actionable Intel, Communication, 
Locations, Internet, Productivity, and System tabs 


DB Recovery Recovers deleted entries from databases 


File Types Performs file signature analysis and compares the files’ headers to the 
files’ extensions 


Pictures Locates and builds thumbnails for all images, runs Image Analyzer 
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Name Description 


OCR Image Text 


Indexing 


Videos Locates and splits video files into sixteen frame sequences, runs Image 
Analyzer 

Hashes Calculates file hash values 

Known Files Compares file hashes to the selected hash databases 

File Carving Attempts to carve known file types from unallocated space 

Journal Process $USNJRL file in Windows and macOS .fsevents 

Events/Logs Process Windows $log analysis, EVT/EVTX analysis, macOS ASL logs, and 
macOS unified logs 

Archives Expands and processes the following archive files: zip, gz, 7z, tar, tar 


Process image [picture] files to extract text. Optical character recognition 
(OCR) converts text detected in the image into plain text which can be 
indexed and then searched. This process can be slow and is limited to these 
image types. 


e pdf 
e tiff 
e bmp 
e png 
e jpg 
e gif 


Builds a smart index from data in allocated space 


Content Search 


Runs built-in searches against memory files 


Spotlight 


Process macOS Spotlight extended attribute data 


Mail 


Process Apple Mail, Outlook mail files 


Correlation 


Identifies correlated events done by the system, by a user, or by device. 


iCloud 


Process iCloud backups from iCloud production files 


Hiberfil/Pagefile 


Process Windows memory hibernation file and pagefile 


Entropy 


Determines possible encryption level of files 
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These are the possible status symbols that can appear for processing option. 


Symbol Meaning 


four | Overall progress of partition processing for the selected processing options. 


H 2019-10-21 14:07:43 (UTC) 
one e Green light shows when processing started. 

e Yellow light shows when processing is still in progress. 
e Green light shows when processing completed. 

e Timer shows the time it took to process the partition. 


E Seen when Parsing or DB Recovery processes are running. 

© Process has completed. 

o Process has completed, but there are more options to run that were not 
selected. 

@ Extract Data 73910% | Process is running, but not complete. The process cannot be paused. 

Ei Hashes Pending | Process is waiting to run. 

@ Hashes 8.820% | Process is running, but not complete. The process can be paused. 

OG Process has not been chosen to run. 


Process cannot run on the partition. 


Q There was an error with the process. 


With an evidence item selected, Inspector shows a full log of the processing options run on the 
selected evidence. When a process is running, a pie progress wheel will display next to the 
device in the Component list which is processing. The pie progress will show the percentage of 
completed items. 


In the Component list next to the Evidence Status item, a numerical badge indicates the number 
of devices currently processing. A numerical badge with the number of processors running for a 
given device appears next to each device in the Component list. An examiner may not view any 
data while the badge on the imported device reads “Busy.” The badge displays a number as soon 
as the parsing process is complete. 


Once parsing is completed on a partition, the examiner can begin browsing data in various views, 
though it must be remembered that not all data is available to view until processing is complete. 


When all the processors have completed, the case is fully ready for review, and an examiner may 
select any of the toolbar buttons to access different Inspector views. 


Certain processes can be paused during their progress. These processes will be identified by the 
Pause button. When clicked, the processor halts its progress and displays the gray Run button. 
To resume processing, click Run. 


The Hashes processor calculates MD5, SHA1, or SHA256 hash values [or any combination of the 
three) of the files within the selected evidence item. This processor can be rerun at a later date if 
the examiner wishes to recalculate the file hash values. To rerun this processor, click the yellow 
Run button in the Hashes column, and right click on the desired hash type in the Hash Types 
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window that appears. A Rerun button appears. Click Rerun and the Complete status will change 
to a checkbox, which can be selected for processing. 


Content Searches 

The Content Searches section of the Component list allows users to create Content Searches 
and displays Content Searches that have been run. For more information, see Search. 

Index Searches 


The Index Searches section of the Component list provides access to the Smart Index. New 
queries of the Smart Index can be created, and saved queries can be accessed. For more 
information, see Search 


Tags 


Items tagged are accessible via Tags the Component list. For more information, see Tags. 
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Investigative Notes 


Workspace Orientation 


Investigative Notes are accessible in the Component list. Investigative Notes provide and area for 
the examiner to copy and paste or type In information they wish to note during the analysis. 


To add an Investigative Note, in the Component list click Add to the right of Investigative Notes. 


Œ EVIDENCE 

Œ ACTIVITY 

© TAGS 
CONTENT SEARCHES 

Œ INDEX SEARCHES 

© INVESTIGATIVE NOTES 


RÌ New Investigative Note 1 


In the Investigative Note window, you can name the note and then paste or type content. 
Investigative Notes are saved in the case file but cannot be put in the analysis report. 
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Details View 


In Cellebrite Inspector, the Details view shows information about the device, device partition, file, 
and folder for each evidence Item in the case. Disk images display differently in the Details view 
depending on the type of item type (for example, partitions, unallocated space, folders, Android 
devices, and so forth}. You can choose whether to include items shown in the Details view in the 
examiner report. For more information, see Reporting. 


In Details view, you can copy and paste text from the Content pane into a text file or export the 
text to a spreadsheet or database file. To the right of the device icon, select any or all of the 
device description text, then use your operating system's shortcut keys to copy and paste the text 
into your text file. To export the selected text items to a tab-delimited or CSV file, select text 
items in the Content pane, then open Inspector's context menu and click Export Selected Rows. 


Details View for Disk Images 


In the Evidence section of the Component list, select a disk image. In the toolbar, click Details. 
The Summary tab in the Content pane displays image attributes such as the device name, disk 
protocol, disk path, total size and MD5, SHA1, and SHA-256 hash values [or a Calculate Disk 
Hash link if a hash has yet to be performed]. Information about a partition is shown, such as 
partition type, partition name, start sector, and sector count, for boot record, free space, EFI, file 
system, etc. 


20210310.000558-99b0e44 


The Summary tab offers a section at the bottom for entering an evidence ID and customizing the 
device name (Inspector automatically populates the Evidence Name text field, however this may 
be changed according to company/agency practices). 
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The Disk View tab offers a raw look into the disk structure itself. From this view, the full partition 
list is displayed as in the Summary view; however, each partition type may be selected to display 
the corresponding disk view. In addition, the Data Interpreter displays and interprets any desired 
highlighted text that is in the hex view. 
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It is also possible to search for strings or hex values from this view. In order to find a deleted 
HFS partition for example, the ASCII value of HSF can be entered into the search field. Press 
ENTER to start the search. 


The first time a hit is found, it is highlighted in bright green. To find more occurrences, use these 
keyboard shortcuts. 


e Mac computers: CMD+G 
e Windows computers: CTRL+G 


In Disk View, certain data structures for various filesystems are color coded, and you can review 
their interpreted values in the Data Structure view. For more information, see Hex Templates 
and Data Structure View. 


Details View for Partitions and Imported Folders 


In the Evidence section of the Component List, select a disk image partition or imported folder. 
In the toolbar, click Details. 


The Details view has two sub-views, Summary and Disk View. 
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Summary View 


Cellebrite Inspector User Guide 


The Summary view in the Content pane shows information about the top-level selected item, 
such as its name, disk protocol, total size, and index. 
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In the Details For field, choose a specific evidence item to see Extended Information and the 


Artifacts bar chart. 
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In Extended Information, you can see more details for the selected evidence item such as as file 
system type, total size, space used, space available, and timestamps for creation, modification, 
and access. For all standard volume types, Inspector parses out “Root File” timestamps that 
correspond to the root file within the volume. 


To change the Device name or Evidence ID, click Edit (pencil icon) to the right of either field. Type 
the appropriate name in the Device field or the appropriate information in the Evidence ID field, 
and then click outside the text field to escape it. 


For FAT16 and FAT32 volumes, you can select the time zone in the File System Time Zone field, 


above the Artifacts 


bar chart. 


Device: Bennett-Computer-200520.E01 2 Evidence ID: Bennett-Computer-200520.£01 - 001 2 


| Volume: EFI 


File System: FATS 
Total Size: 200.0 MB (209715200 Bytes) 
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File System Time Zone: [Unknown 2 
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In the Artifacts bar chart, you can see the quantity of file types for items such as movies, 
graphics, emails, documents, disk images, and archives. Inspector automatically detects the 
presence of archive files (.zip, .sit, Larl and disk image files. 


When you double-click one of the colored bars, the File Filter view appears and shows the 
appropriate analysis view according to the selected bar. 


Disk View 


To see the selected partition in its raw view, click Disk View. This lets you see and search any free 
space, along with slack space, within the partition. Only data from within the selected partition Is 
seen in this view. To see data outside of the partition, you must select a different partition or the 
full disk in the Details For field. 


To use the Disk View sub-view in other Inspector views, open the context menu for a selected 
item, and then click Reveal File in Disk View to see the first sector of the selected file in Disk View. 


Notes for macOS Computers 


Information is also parsed from various macOS plist files including model, host name, serial 
number, macOS setup timestamp, time zone, language, AirPort ID or AirPort Discoverable Mode, 
and MAC and IP address. 


For macOS 10.15, macOS information is parsed on the <System Volume> - Data partition, not the 
system partition [<System Volume>). 


For HFS+ volumes, Inspector does not parse the file and folder counts from the volume header. 
Rather, it adds up the total number of files and folders based on what has been parsed from the 
catalog plus the raw HFS files. 


The Volume Create Date timestamp for HFS+ volumes is stored in local time, based on the 
system's local time zone setting, rather than based on UTC. Inspector denotes this by showing 
(Local) next to the Volume Create Date timestamp. Volume timestamps for HFS+ volumes are 
parsed from the volume header. 
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Details View for Mobile Devices 


The Details view shows specific device information, including iOS device backup folder 
information for each iOS item in the case. Device items displayed in the Details view may also be 
included or excluded in the examiner report. For more information, see Reporting. 


In the Evidence section of the Component list, select an Android device, iOS device, or iOS 
backup folder. On the toolbar, click Details. When a device is selected in the Component list, the 
Content pane displays device attributes such as device type, OS version, phone number, cellular 
usage, serial number (when available], model number, UDID, AirDrop ID (iOS devices], AirDrop 
Discoverable Mode [iOS devices] and last iOS backup timestamp [iOS devices). 


20210310.000558-99b0e44 


When an iOS backup folder is selected in the Component list, the Content pane displays 
attributes such as the backup folder’s associated device type, iOS version, phone number, serial 
number, UDID, IMEI, AirDrop ID, and last backup timestamp display. 


To change the Device name or Evidence ID, click just to the left of the pencil icon. Type the 
appropriate information into the text field and click outside the text field to escape it. The 
modified text appears. 


In Artifacts, two bar graphs appear. Inspector automatically detects the presence of archive files 
(.zip, .sit, tar) and disk image files. The left bar graph displays file counts by file type for these 
file types and others, such as graphics, documents, emails, movies, and disk images. The right 
bar graph displays file counts by file type for messages, apps, browser artifacts, notes, contacts, 
events, voicemail, and calls. 


When you double-click on a colored graph bar, Inspector switches to and configures an 
appropriate analysis view depending on the item selected. 
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Workspace Orientation 


These are the options for the left bar graph. 


Options | Description 


Movies Switches to File Filter view > Movie Files 
Graphics Switches to File Filter view > Graphics Files 
Emails Switches to File Filter view > Email Files 
Documents Switches to File Filter view > Document Files 


Disk Images 


Switches to File Filter view > Disk Image Files 


Archives 


Switches to File Filter view > Archive Files 


These are the options for the right bar graph. 


Options Description 


Messages Switches to the Communication view, Messages sub-view 
Apps Switches to the System view, Applications sub-view 
Browser Switches to the Internet view 

Notes Switches to the Productivity view, Notes sub-view 
Contacts Switches to the Communication view, Contacts sub-view 
Events Switches to the Productivity view, Calendar sub-view 
VoiceMail Switches to the Communication view, Voicemail sub-view 
Calls Switches to the Communication view, Calls sub-view 


Details View for Other Types of Evidence Items 


In the Evidence section of the Component list, select an evidence item (such as unallocated 
space [carved files], memory, folder, file, and so forth). On the toolbar, click Details. 


The Artifacts bar graph shows file counts by file type for items such as movies, graphics, emails, 
documents, disk images, and archives. File count and bytes used are also shown. When you 
double-click on a colored graph bar, Inspector switches to and configures an appropriate 
analysis view depending on the item selected. 
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File Information Pane 


All files contain metadata. Metadata is most easily defined 
as data about the data. Select a file in the Content pane. 
The file’s metadata displays in the File Information pane. 


If the selected file is a picture file, additional metadata or 
extended attributes such as hash values, date and time 
stamps, file paths, file size and EXIF, TIFF and location 
(GPS) data may be included in the file and displayed in the 
File Information pane. This screenshot shows metadata 
found in an image file. 


While all file systems have some metadata in common, 
additional metadata is available for some file systems. 
Metadata for all file systems commonly includes: 


e Name 
e Path 
e Size 


e Extension 

e Date Created 

e Date Changed 

e Date Modified 

e Date Accessed 

e Hash Values 

e Location on Disk 


File System and Operating System Unique 
Metadata 


Some metadata Is unique to the file system. Metadata 
unique to APFS and HFS Plus includes: 


e Owner and Group ID 
e Visible 

e Locked 

e Permissions 

e Date Added 

e Spotlight Metadata 


Spotlight metadata includes a vast amount of information. 


Data can be filtered based on Spotlight metadata. For 
more information, see Artifact Items. 


HFS Plus has additional metadata not found in APFS 
including: 


e Label color 
e Extended Attribute data 
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Field 

BBTID: 

FileSystemID: 

Name: 

Path: 

Size: 

SizeOnDisk: 

Extension: 

ContentExtension: 

Date Created: 

Date Changed: 

Date Modified: 

Date Accessed: 

FileSystemOffset: 

fsType: 

Directory: 

Visible: 

Locked: 

Owner ID: 

Group ID: 

Permissions: 

Entropy: 

ForkCount: 

Hash:1:SHA1: 

Hash:1:SHA256: 

Hash:1:MD5: 

Extents: 

Sector Start: 

Hash Set Category: 

Metadata 

BSD Flags: 

com.apple.lastused... 

com.apple.macl: 

Date Added: 

Tracked: 

Spotlight 

kMDitemContentCre... 
kMDitemContentCre... 
kMDitemContentMo... 
kMDitemContentMo... 
kMDitemContentType: 
kMDitemContentTyp... 
kMDitemContentTyp... 
kMDitemContentTyp... 
kMDitemContentTyp... 
kMDitemContentTyp... 
kMDitemContentTyp... 
kMDitemContentTyp... 
kMDitemContentTyp... 
kMDitemContentTyp... 
kMDitemDateAdded: 
kMDitemDateAdded... 
kMDitemDisplayName: 
kMDitemiInteresting... 
kMDitemKind: 
kMDitemLastUsedD... 
kMDitemLastUsedD... 
kMDitemLogicalSize: 
kMDitemPhysicalSize: 
kMDitemUseCount: 
kMDitemUsedDates[... 
kMDitemUsedDates[... 
_.KMDitemContentcCh... 
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2016-05-25 00:00:00 (UTC) 
org.openxmiformats.wordproce: 
org.openxmiformats.wordproce: 
org.openxmiformats.openxm! 
public.zip-archive 
com.pkware.zip-archive 
public.data 

public.item 

public.archive 
public.composite-content 
public.content 

2016-05-25 13:54:29 (UTC) 
2016-05-25 00:00:00 (UTC) 
BMW_infotainment.docx 
2017-11-29 00:00:00 (UTC) 
Microsoft Word 2007 document 
2017-11-29 23:06:43 (UTC) 
2017-11-29 00:00:00 (UTC) 
23003 

24576 

3 

2017-11-29 05:00:00 (UTC) 
2017-11-29 08:00:00 (UTC) 
2016-05-25 13:54:29 (UTC) 


amie nc 2649-04-90 HITE 
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On Windows systems, Access Control Lists are stored in NTFS to control file system 
permissions. Each file on a Windows system has Access Control Entries [ACEs] to control file 
permission. The ACEs are parsed in File Information pane. For more information, see Artifact 
Items. 


Media File Metadata 


Picture and video files typically have additional metadata, including: 


Category Description 


Summary Image summary data li.e., format, image dimensions, color space, 
aspect ratio, skin tone %) 


TIFF TIFF (originally standing for Tagged Image File Format) is a file format 
for storing images 


EXIF Exchangeable Image File Format. Includes GPS, camera make, model, 
settings and sound data 


GPS Location-based data stored by digital camera 
Threat Category Threat category calculated for the image file 
Various other Displays application-specific metadata 
categories 


The metadata contained in each media file varies based on file type, how the media file was 
created, and other factors. 
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File Content View 


In the Content pane, select a file. If the File Content view is hidden, at the bottom of the Content 
pane select and drag the double hash marks up or down to see file data in the File Content view. 


Note: The File Content view pane does not appear in the Details, Report, and Share views. 


These are the tabs available in the File content view. 


e Hex 
e Strings 
e Preview 
e Metadata 
o Location 
e Record 


You can “tear off" the File Content view as a separate window so you can simultaneously see 
multiple copies of the File Content view. This lets you see the File Content view in its own 
window. 


In the upper left of the File Content view, immediately above the Hex tab, there is a grab handle 
appearing as several short, vertical lines. Click the handle and drag it away in any direction. A 
new File Content view window is created. This new window can be placed on another monitor if 
multiple monitors are being used, and it can be enlarged to the desired size. 


WII 


Zi Hex Strings [J Preview 3 
faaaaana-. | AA AA AA 14 AA 7A 70 7A 71 7 
Additional tear-off File Content view windows can be created, and each one can be used to view 
different data if desired. For instance, one window may show the Preview tab, while another 
shows Metadata, and a third reveals Location maps. When a file is selected within the original 
case window, such as in Browser view, all of the tear-off windows update to reflect information 
related to that file. 


There is no need to reconnect these tear-off windows to the original case window. Simply close 
each window when finished with it. Even though the File Content view can be hidden on the 
original case window, it is always there and never has to be reattached. 
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Hex 


Click Hex to display data in hexadecimal and ASCII characters. In the lower right corner of the 
File Content view, the sector offset, physical sector, logical sector, cluster start, and selection 
length for the current cursor position displays. Select and drag across data of interest to 
highlight it, open the context menu from the highlighted area, and then click Tag Hex Data As to 
tag the data and include it in the examiner report. For more information, see Tagging. 


Data Interpreter © ` Data Fork 


Zi Hex 


Sang [Preview $ Metadata ` $ Location ` A Record 

omg: FF D8 FF EO 00 10 4A 46 49 46 00 O1 O1 00 00 O1 00 GI 00 00 FF EI 2F FE 45 78 69 66  yðyä.-JFIF...---.---Jå/pÞExif = aes 
0000028: | 00 0 40 40 20 2A 00 00 00 08 00 OB O1 OF GO 02 00 BO 00 26 00 GG 00 92 O1 10 00 a2 EX Ss ype ates (Cite 
8000056: | 00 00 0 09 00 00 0A 98 01 12 00 03 09 00 00 O1 00 01 00 09 O1 1A 00 05 00 00 09 OL Y String 
0000084: 00 00 00 AZ 01 18 02 05 00 20 OB 01 0B O OA AA OI 28 00 03 00 0 0 01 00 AZ 00 00 
0000112: 01 31 00 02 00 0 00 06 00 20 OA B2 O1 32 00 02 00 0 0 14 00 0 G BB 02 13 00 03 Dr AppleiPhone 5 
0000140: | 00 00 00 01 0 01 00 00 87 69 00 04 00 00 00 01 00 00 00 CC 88 25 00 04 00 00 00 Ol 
0000168: | 00 00 02 4A 00 00 03 14/41 70 70 6C 65 00 69 50 68 GF GE 65 20 35]00 00 00 00 00 48 Uu mikey 
0000196: | 00 0 00 01 00 00 00 48 00 00 00 GI 36 2E 31 2E 34 0 32 30 31 33 3A 30 39 3A 31 31 Y Date/Time 
0000224; 20 32 31 3A 33 32 3A 30 37 00 00 18 82 9A 00 05 00 00 0 01 02 09 O1 F2 82 90 00 05 
0000252: | 00 00 00 01 00 00 01 FA 88 22 00 03 00 00 00 O1 00 02 00 OO 88 27 00 03 00 00 Gð 01 Chrome 
0000280: | 01 90 00 00 90 00 0B 07 00 0B 0 04 30 32 32 31 90 03 00 02 00 0 OO 14 0 00 02 02 Cocoawebkit 
0000308: | 90 04 00 02 00 00 00 14 00 00 02 16 91 01 00 07 00 00 00 04 O1 02 03 00 92 01 00 OA 
0000336: | 00 00 00 01 00 00 02 2A 92 02 00 OS 0 20 00 O1 0 00 02 32 92 03 00 OA 00 00 00 OL Cocoa Nanoseconds 
0000364; 00 00 02 3A 92 07 00 03 00 00 00 01 00 OS 00 00 92 09 00 03 00 00 00 01 00 00 00 00 Fee seen 
0000392: 92 A 00 05 00 0 02 01 00 00 OZ 42 AÐ AO 00 07 0 0 O 04 30 31 30 30 AD 01 00 03 
0200420: 00 20 00 01 00 O1 02 OA A O2 OB 04 0 20 OA 01 G O AC CO AD O3 G 04 00 00 00 01 FILETIME 

i| 00 00 09 90 A2 17 00 03 00 0G 0 1 00 42 20 20 AS 01 00 03 00 00 00 01 00 A2 0 00 
(0000476: | A4 02 00 03 00 00 0A 01 00 00 00 AA At A3 00 03 00 00 00 A1 00 00 AA 00 A4 05 00 03 Firefox 
(0000504: | 00 00 00 01 00 21 00 00 A4 06 00 03 00 00 00 01 00 00 00 00 00 00 00 00 OA 00 00 OL SS GE 
0000532: | 00 00 02 OF 0A 02 OB OC 00 OB 00 QS 32 30 31 33 3A 30 39 3A 31 31 20 32 31 3A 3332 132 
Decimal H actor Offset: 0x35 (53) Position: 0x35 (53) Selection: OxE (14) Lite Endan H 


When a file is examined in Hex view, Inspector displays allocated bytes of the file in black. The 
RAM slack [i.e., data from the last byte of the file to the end of the sector] is shown in a lavender 
color, and the disk slack [i.e., the start of the next sector to the end of the cluster [logical block 
on the Mac]]) is displayed in red. 


Soe Strings [A Preview Metadata @ Location ` A Record Data Interpreter [J © Data Fork 


3A 00 DS 93 57 AG 65 SE 36 2E 7B 4F 41 42 2A 94 23 20 FO SF EB GF 1C 3D 66 35 71 op {OAB*. #.8_80.=F5q SE 
EO 2F C2 92 CB 35 86 10 GD B2 93 FO OC SE ØS DG EC 39 4F 35 OE 80 8C 54 94 38 m?.8.4.01905. ..T.8 Tyre. Value) (Cire Endl: 
BA 58 6B SD C4 33 A4 34 C8 47 SF 65 06 e Ce 
38 20 84 GE C6 72 AB 7E EC E9 20 FS e, 
C6 1C BA 23 A8 06 OF 63 45 C8 05 1E š UTF-8 
1C 00 00 00 00 00 00 1F 00 00 70 00 oP. ERE 
Y Date/Time 
FILETIME 
1 
Firefox 
Java 
or 
S 74 28 GE 2C 39 35 29 3E 31 33 34 38 £(n,95)>1348 
22540:| 38 2E 35 3F 2E 30 35 30 34 38 3A 2D 2E 30 33 38 39 35 3A 74 28 GE 2C 33 31 29 3E 2E 8.57.05048: ~.03895:t(n,31)> os 
22568:| 33 39 31 35 3F 74 28 GE 2C 32 36 38 29 3E 31 31 31 2€ 32 30 38 31 35 3F 2E 30 30 34 39157¢(n, 268)>111, 20815? .004 Unix 
22596: | 36 38 3A 74 28 GE 2C 34 32 31 29 3E 2E 37 35 33 39 36 3F 2E 30 30 32 33 34 3A 2E 30 68: t(n,421)>. 753967 .00234: .0 
22624: | 34 30 37 3A 74 28 GE 2C 32 33 29 3E 30 3F 74 28 GE 2C 32 38 34 29 3E 31 31 2E 35 3F 407 :t(n,23)>0?t(n, 284)>11.5? VAS 
22652: 74 28 GE 2C 31 33 36 29 3E 2E 35 3F 2E 32 37 36 37 36 3A 2E 31 35 37 34 38 3A 74 28 t(n, 136)>.5? 27676: .15748:¢C 8 bit signed 
22680:| GE 2C 32 33 29 3E 2E 31 32 38 39 34 3F 2E 30 37 30 31 33 3A 2E 33 36 30 39 39 3A 74 1, 23)>. 12894? 07013: 36099: 
22708: | 28 GE 2C 31 36 35 29 3E ZE 34 30 31 30 34 3F 74 28 GE 2C 33 38 29 3E 32 37 31 30 38 (n,165)> .401047¢(n, 38)>27108 8 bit unsigned 
22736:| 36 38 3F 2E 31 37 37 32 39 3A 2E 32 38 39 36 3A 74 28 GE 2C 30 29 3E 2E 30 31 35 31 687.17729: .2896:¢(A,0)>.0151 
36 39 29 3E 31 31 39 33 30 2E 35 3F 2E 31 35 39 31 34 3A 2E 30 97¢(n,269)>11930.52.15914:.0 se Biksianed 
Sector Offset: Ox1FO (496) Position: 0x57F0 (22512) Little Endian RB 


Strings 


Click Strings to display ASCII printable strings of three characters or more. If the selected file is a 
text file, an examiner can perform a keyword search within the displayed text strings in both the 
Strings view and Preview views. 


When the OCR [optical character recognition} process has completed, any text parsed from 
Supported image file types can be seen on the Strings view. OCR text appears after this label: 
"rr" OCR Image Text ******. While you can search OCR text with an index search, a content 
search cannot find it because it does not exist as plain text. You may also use the OCR Image 
Text option in to filter image files that have recognized text. 


When you click Edit > Find, A Find dialog box appears. You can drag search results to select and 
tag them. 
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Preview 
Click Preview to see a file as it would appear in its native application. 
Note: Not all file types display in Preview view.--- Unicode text is not supported in Strings view. 


You can toggle the preview between the default [scaled to fit the Preview tab] or actual size. The 
appearance of the toggle depends on the preview displayed at the moment. 


Ea. E 


In the upper right corner of the File Content view, click View to see data contained in a files data 
fork, resource fork, and/or ADS [alternate data stream]. 


Note: Data Fork is the default view, as the data fork is where file data resides the majority of the 
time. However, file data on an HFS+ file system is sometimes stored in the resource fork. If a file 
has a resource fork, both Data Fork and Resource Fork view options are present in the drop- 
down menu. Inspector looks to see if a file has a resource fork and If so, automatically adds this 
option to the drop-down menu. Likewise, if an NTFS file has data in an ADS, an option for viewing 
the ADS will be included in the drop-down menu. You can preview video files. To see the video file 
split into sixteen frame sequences and displayed as a 4x4 mosaic, at the top right of the File 
Content view, click Thumbs. If you click Video, the video file is rendered with playback controls. 
To play the video, click Play. 


‘se ee Benes 


TMM D Video} © ` Gaston B 


In the Content pane, select a file and press the spacebar, or click the Quick Look button (the eye} 
to view the file using (Mac only). Quick Look displays native Apple application files (and some 
third-party application files) the same way a user sees them. Audio and video files play within the 
Quick Look view as well. 


Note: The Quick Look feature works only when a Quick Look plug-in for the selected file type, or 
an application that supports the selected file type is installed on the forensic examiners analysis 
machine. Inspector allows for queries to be run on SQLite databases. Select a database and click 
Preview in the File Content view. Enter a valid SQLite query in the upper pane of the File Content 
view or double-click one of the database tables to the left. When the examiner double-clicks a 
table, a query is automatically populated. The query can be edited and run as desired, with 
results showing in the lower pane. When finished editing, press ENTER to run a query. Results 
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Sne = strings ` rien ` $ Metadata @ Location dh Record © Data Fork 


Select heen, asversion, lastunlock from ckdevicestate we Value (uate Ena 


ckzone ^ osversion lastunlock Y Date/Time 
ApplePay iphone 17.6.0 (15F79) 2018-08-20700:00:002 Chrome 
ApplePay macOS 18.7.0 (18695) 2019-10-07700:00:002 1 
ApplePay macos 19.0.0 (19888) 2019-12-18T00:00:002 Cocoa 


ApplePay iphone 19.4.0 (17E262) 2020-05-19T00:00:002 Dos 
ApplePay macOS 19.4.0 (19E287) 2020-05-20T00:00:002 FILETIME 
‘AutoUnlock iphone 17.6.0 (15F79) 2018-08-20700:00:002 Firefox 
‘AutoUnlock macOS 18.7.0 (18695) 2019-10-07700:00:002 Java 
‘AutoUnlock macOS 19.0.0 (19888) 2019-12-18T00:00:002 


prevents processing of destructive user-defined SQLite queries leg. "CREATE" or "DELETE"). 
When typed, these destructive terms are displayed in red, and an error message is displayed. 
When an existing table or column name is partially typed and the cursor is placed anywhere 
within or directly after that partial name, the examiner can press TAB for autocomplete 
suggestions. A list of tables and columns that contain that partial name appears. The examiner 
can then select a table or column name from the list, and Inspector autocompletes the name in 
the query. 


Metadata 


With any file selected, click Metadata in the File Content view. The metadata contents shown are 
identical to those displayed in the smaller File Information pane to the left, you can enlarge the 
pane as much as you need. 


Sue Zstrings Preview £ Metadata @ Location ` A Record © buak B 


In some cases, only Hash:1:MD5 is shown as an available MD5 hash field; however, at other 
times additional MD5 hash fields may be shown. These numbers are related to the data fork, 
resource fork, and ADS fork. 


Hash:0 = mirror of data fork 
Hash:1 = data fork 

Hash:2 = resource fork (Mac) 
Hash:4 = ADS fork (Windows) 


Location 


Select any media file that contains geolocation (GPS) data (as indicated by a red placemark icon), 
or any applicable record in the Location view, then click Location in the File Content view to 
display one or more offline maps depicting the item's latitude and longitude coordinates. 
Inspector also displays a button to optionally view the location in Google Maps (if connected to 
the Internet], and other geolocation information contained in the file's metadata. 
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Offline Maps 


Inspector presents a set of static maps based on OpenStreetMap. Select a file that contains GPS 
coordinates and click Location in the File Content view. In the Location tab, you can see an offline 
map with three levels of zoom. You can download additional maps for additional zoom 
capabilities. 


SS ex strings [Preview Metadata $ Location $ Record © Data Fork 
Show on Google Maps... ie Desert i f 
National 

Property Value Wildlife y BOES 

Altitude 625.6139 m (2053 ft) Refüge | wn 
Altitude Refe... Sea level s ec? 
Image Directi... 29.06641 9 L i ie 
Image Directi... True direction = < Y 

Latitude 36.1435 d a 

Longitude -115.157333333 f NV (e 
Time Stamp 04:32:07 H z N 7 
i Ser 
Ko) T 
[tas Vegas i 
LS 
S Ki > UBenderson `} Lake Mead’ 
Lk ys 5 National 
k de FAA Recreation 
9 f 
4 
| E 
T/N Wa | 
ES a 
ee A 
A. Ah „ @.OpenStreetMap contributors 


The zoom is currently set at levels 3, 5, and 8. When additional zoom level tiles are downloaded, 
Inspector Increases its maximum zoom accordingly. When connected to the Internet, you may 
also zoom in by clicking Show on Google Maps. The default web browser opens to Google Maps, 
allowing control of the zoom level and viewing style. With Inspector, you can export files 
containing GPS information as a .kmz file or in .kml format. Select the files containing GPS data, 
open the context menu, click Export > Export Selected Location Data As, and then choose either 
KMZ or KML format. In the Export window, provide a file name, choose or create a destination 
folder, and then click Export. Inspector exports the GPS data to a .kmz or .kml file in the 
destination folder. 


Record 


Select a file and click Record in the File Content view. The Record view displays the MFT record, 
catalog tree record, or FAT file system record for the selected file. 


Data Interpreter View 


There is a hidden Data Interpreter view which can be slid into view from the right hand side of 
the File Content view. Select and drag the double hash marks left or right to view file data within 
the Data Interpreter. This view is hidden by default, but once opened it remains in the same 
position until you change it. 


The Data Interpreter works when in the Hex and Strings views. It also works in the Preview view 
for certain file types such as databases and .plists. In the Hex view, select and drag across data 
of interest to highlight it. The Data Interpreter automatically update sits display accordingly. 


The interpreter has three modes in which the data may be displayed: Big Endian, Little Endian, and 
Both. Chose the option which best suits the data type that is being decoded or interpreted. 
Choosing Both allows both the Big Endian and Little Endian values to appear side by side. Use 
the disclosure triangles in the data type rows to show or hide values. 
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In this example, the date is highlighted in green. Looking at the Big Endian FILETIME date, it 
becomes clear that the date is not real; however, the Little Endian date is. This might lead the 
examiner to conclude that this is a Microsoft date, as Microsoft uses the Little Endian storage 
format for integers (most significant bit first). 


Sr Strings (Proview Metadata @ Location Record Data interpreter © Gaston B 
| | [4643 AC 45]30 00]03 O0]AS 03 OF 89 02 60 0 00] 01 00] 01 00] 38 00] 01 öeJAs Oi 00 ðöl3ð 04 
(900000030: || 60-00] 00-60 00 00 0000 0-00] 65 00] 00_60| 0 TE 02) FF F/O 00 10 00 00 00 Type Value (Little Endian) 
eeneg, [c0 08 00 00[00]00]18 oo 00) 00-00) 48 00 e0 e0] 18 G0) a0 aa) 6 CC 23 Fi 45 AS D0 El Y String 
ege |23 Fi 45 A5 DO O1 FG CC 23 F1 45 AS DA MIEG CC 23 Fi 45 AS DO 01/06 00 06 0/00 00 00 00) 
(900000120: [00 oa 0 oalon 00 00 00|00 oo oa oojoo 01 ea cafea G0 00 G0 00 00 oa G0]00 0 00 00 00 00) o1000 
| 090000150: [00 mon mm 00/68 20 00 00]00|00) 18 20/00 00/23 Gafsa 0 00 00] 18 40) 01 alas 00 40 00 wee 
| peeeeerse: Je ag ert 23 F145 -AS 05 IECH EE REI EE Ee m 
EECH 
| 000000240: |04103124 00 40 00 46 00 54 00103 00 00 0a 00 0080 00 0800|58 00 06 001019040 0000 00. 
| 000000270: [01 00] 00-00 00 00 0-00 o0 00|6F 58 1 G0 00 oo 00 oosa 00] 00 ooroo 00 00 00|00 00 BC 15 
| eooeee3ee: [00 00 20-00] 00 00 BC 15 00 0 00 ool G0 BC_15 C0 G0 00 00|33 00 95-00 00 00 aC 324053 ' 
| 000000330: [D8 CF 24 32 80 73 38 23 78 00 09 00 00 00/80 G0 CO 00] 48 00 00 00/01/00] 40 00/00 00/05 00 
(900000360: |[ 60-46 0 00 60-40 0 G6[03 oa 00 Gd 00 U0 oa GO| 40 G0] 00 valoa 00 oa G0|00 CO oa G0 00 00) (s 2008-02-22 17:28:29 (UTC) 
(900000390: Te wn wO moon G0 00 EE GO 00 00] 21 OC A7 G0 06 00 00 00 FF FF FF FF r 
mun | [00 0 FF FF FF FF 00 00 00 00 FF FF FF FF O00 00 00 FF FF FF FF 00 00 00 00 00 00 waren) 
000000450: || 80 00 20 00 00 00 OL 0 20 OÐ 09 00 00 G0 40 40 0O 00 00 00 00 00 OG 20 00 00 00 00 00 00) 2018-06-12 19:28:21 (UTC) 
| eoaeeesaa: | 08 10 20 00 20 00 00 00 8 10 60 00 00 00 Gð gð 31 O1 FF FF OB 11 01 FF 00 36 GA 04 80 FA) 
| eooeeeste: |1E 02 FF FF FF FF 20 00 20 09 09 00 60 08 00 eo eo 00 00 00 00 00 02 00 00 00 20 00 00 oo 
| opaoaas4a: [oa oa oa oa on 00 oa 00 29 on oa 02 oa OA oa oa 20 00 40 oa 00 00 oa aa oa aa AA 00.00 00) 
Decima E Sector Ofset 0 Lite Encian H 


Sne ` Sang (Preview $Œ Metadata @ Location dh Record © Daaroor RB 


Es Enter a valid sqlite query or double-click a table in the Fst to the left Type Value (Little Endian) 


T String 
urs 312838897000000000 
va ren 
type service accoun t accountg... error date date read date-deliv... is delivered is finished ¥ Date/Time 
sus oapasecs... 0 312692178.. 312692178.. 312692178.. 0 1 = 
sus oppen 0 312838437.. 312838437.. 312838437... 0 1 1 ` een 
svs oaBs96c4.. 0 312838632... 312838632.. 312838632.. 0 H Cocoa Nanoseconds 2010-11-30 19:41:37 (UTC) 
o 312838780.. 312838780.. 312838780. 0 1 Dos nia (222) 


sus oasagsce. 


MS 3i FILETIME 2592-05-07 01:21:40 (UTC) 
aus oapageca... 0 312850765... 312850765.. 312850765. 


Firefox 


ss oapaeecs... 0 312850944.. 312850944.. 312850944, 


Lite endian H 


Values from within .plist files and databases can be selected for interpretation. Clicking on 
Preview while viewing a database file will display the database structure. Select the desired table 
at left to view its contents. Values stored as integers can be interpreted. Click on the value in the 
lower pane, and the Data Interpreter decodes it. For example, in the screenshot above, a date 
value (1308221028) within the highlighted row is clicked, and it is interpreted into all the values 
the Data Interpreter can decode. 


These are values decoded by the Data Interpreter view. 


String Date/Times Integer Floating Other 
UTF-8 | Chrome 8-bit signed and unsigned Single [4 byte] Base64 
UTF-16 | DOS 16-bit signed and unsigned Double [8 byte] 

FILETIME 32-bit signed and unsigned 

OS X 64-bit signed and unsigned 

Cocoa/Webkit 


Cocoa Nanoseconds 


Unix 


Firefox 


Java 


OLE 


The Data Interpreter view is also available within the Disk View, where the full evidence disk is 
presented in a raw form. For more information, see Details View for Disk Images. 
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Hex Templates and Data Structure View 


Cellebrite Inspector can view binary data structures using templates. Templates can take the 
mystery out of binary data by allowing the data to be understood in an Intuitive way. Rather than 
displaying the raw hex bytes of the file Inspector can show the file parsed into a hierarchical data 
structure for easy understanding. This goes beyond the Data Interpreter view to display arbitrary 


values of selected data. 


BLID ^ FSID Name Size Date Created Date Modified Date Accessed Date Added Version Index Extensioi 
@ 1899456 75806 square-green.zip 18.4 KB 2014-02-25 14:52:26 (UTC) 2014-02-25 14:52:26 (UTC) 2015-06-12 13:07:39 (UTC) zip 
@ 1899457 75807 square-red.zip 15.0 KB 2014-02-25 14:52:26 (UTC) 2014-02-25 14:52:26 (UTC) 2015-06-12 13:07:39 (UTC) zip 
@ 1899458 75808 squar 14.8 KB 2014-02-25 14:52:26 (UTC) 2014-02-25 14:52:26 (UTC) 2015-06-12 13:07:39 (UTC) zip 
@ 1908295 86107 2326KB 2017-09-29 14:44:23 (UTC) 2017-09-29 14:44:23 (UTC) 2017-09-29 14:44:23 (UTC) zip 
@ mammen 78777 Arci 210MB 2018-06-16 15:44:28 (UTC) 2018-06-18 15:44:48 (UTC) 2018-06-18 15:44:28 (UTC) zip 
@ 1969221 ` es 2326KB 2017-09-29 14:44:23 (UTC) 2017-09-29 14:44:23 (UTC) 2017-09-29 14:44:23 (UTC) zip 
@ 190983 2235 219 Bytes 2015-11-26 18:27:21 (UTC) 2015-11-24 18:27:21 (UTC) 2015-11-24 18:27:21 (UTC) i 
@ 2010600 324442 Archive.zip 11MB 2018-04-12 09:25:17 (UTC) 2018-04-12 09:25:17 (UTC) 2018-07-11 17:44:27 (UTC) zip 
@® 2043115 65185 System.10.Compression.... 204 Bytes 2018-04-11 23:38:38 (UTC) 2018-04-11 23:38:38 (UTC) 2019-11-05 17:27:00 (UTC) ZipFile 
© 2475226 1495 2016-01-20 appLog.i.zip 33KB 2016-01-21 14:27:33 (UTC) 2016-01-21 14:27:33 (UTC) zip 
AD 20737 ` ap ` 2096-07-28 anni an 17in A1KR 2016-02-29 21:10:25 (UTE) 2016-02-29 94:10:96 (ITE) 
Si ven Æ Strings [Preview Metadata @ Location Record Data Interpreter © Data Fork 
000: |50 48 03 04]14] 00] 00 00]08 00]E2 4E175 47]93 E9TC9 9E]65 00-00 00/72 00/00 oD] oA 00] 00 SS SE 
029: | 00]62 GF 62 62 79 52 2E 74 78 7410 CA 3B 0E 84 30 OC 45 DI DE 92 F7 FO 56 90 05 4C 07 
58: [35 50 32 75 3E 1E 14 69 82 AS 24 96 60 F7 7C BA 2B 9D 38 ES D6 Fi D3 BA 51 43 38 3F 4C Ges 
087: |4C 8B 48 42 D1 2A 90 12 FE 52 9A 73 EE 55 9C D8 1F ED 8A 4D Al D6 E1 37 9F 77 07 30) 
116: (8D F3 97 69 88 D1 AA 67 9A E4 BO C6 34 4B 8D 92 E4 AE C1 S2 66 SA EF ES 02[50 48 O1 02| us 
145: |[14]00]14 00/00 0008 O0|c2 4E 78 47/93 E9|C9 JE 65 0/00 00| 72 00/00 00] 0A 00/00 00] 00 Geen 
174: [00] 02 alor 0020 00 00 oaoa eo] 00 od 62 GF G2 6279 ECH 
203: [00 00/01 00/01 00/38 00 0 00/8) 00 00 00/00 00] Y Date/Time 
Chrome 
| Cocoa/Webkit 
Cocoa Nanosecond: 
Dos 
FILETIME 
Firefox 
Java 
Decimal Sector Offset: 0x0 (0) Position: 0x4E (78) Little Erde BH 


Inspector will automatically apply a template to a file when the file is selected and a template for 


that file type exists. 


BLID ^ rem Name Size Date Created Date Modified Date Accessed Date Added Version Index Extensiot 
@ 1899456 75806 square-green.zip 15.4 KB 2014-02-25 14:52:26 (UTC) 2014-02-25 14:52:26 (UTC) 2015-06-12 13:07:39 (UTC) zip 
@ 1899457 75807 square-red.zip 15.0 KB 2014-02-25 14:52:26 (UTC) 2014-02-25 14:52:26 (UTC) 2015-06-12 13:07:39 (UTC) zip 
@ 1899458 75808 squ ien ze 14.8 KB 2014-02-25 14:52:26 (UTC) 2014-02-25 14:52:26 (UTC) 2015-06-12 13:07:39 (UTC) zip 
@ 1908295 86107 MSCasualGames.zip 232.6 KB 2017-09-29 14:44:23 (UTC) 2017-09-29 14:44:23 (UTC) 2017-09-29 14:44:23 (UTC) zip 
@ 1939690 78777 Archive.zip 210MB 2018-06-18 15:44:28 (UTC) 2018-08-18 15:44:48 (UTC) 2018-06-18 15:44:28 (UTC) zip 
@ 1969221 103273 MSCasualGames.zip 232.6KB 2017-09-29 14:44:23 (UTC) 2017-09-29 14:44:23 (UTC) 2017-09-29 14:44:23 (UTC) zip 
Æ 1998983 22351 bobbyR:zip 219 Bytes 2015-11-24 18:27:21 (UTC) 2015-11-24 18:27:21 (UTC) 2015-11-24 18:27:21 (UTC) zip 
@ 210600 324442 Archive.zip 11MB 2018-04-12 09:25:17 (UTC) 2018-04-12 09:25:17 (UTC) 2018-07-11 17:44:27 (UTC) zip 
@ 2043115 65185 System.IO.Compression. 304 Bytes 2018-04-11 23:38:38 (UTC) 2018-04-11 23:38:38 (UTC) 2019-11-05 17:27:00 (UTC) ZipFile 
@ 2475225 m95 2016-01- 33KB 2016-01-21 14:27:33 (UTC) 2016-01-21 14:27:33 (UTC) zip 
E oeren ` Aen ` 7916-07-28 annt ei ze AIKA 7016-07-28 21:10:26 (LTC 7016-09-79 94:10:96 (UTC in 
Si ue strings [Preview Metadata @ Location d Record Data Structure B © Data Fork 
000: [50 48 03 04|14] 00] 00 00]08 G0|E2 4E178 47/93 E9 CO 9E|65 00 00 00 EES 
022: |72 00 00 00/ GA 00/00 00/62 GF 62 62 79 52 2E 74 78 74/10 CA 38 OF bobbyR. txt.E;. ponent H Poin a 
44: |84 30 OC 45 D1 DE 92 F7 FO 56 90 05 4C 07 35 50 32 75 3E 1E 14 69 SR H 
066: | |82 AS 24 96 60 F7 7C BA 2B 9D 3B ES D6 F1 D3 8A 51 43 38 3F 4C 4C 
088: |88 48 42 D1 2A 9 12 FE 52 9A 73 EE 55 9C 6A DB 1F ED BA 4D Al D6 Y File Record [0] o 
110: |E1 37 9F 77 07 30 8D F3 97 69 88 DI AA 67 9A E4 BO C6 34 4B 8D 92 
132: |E4 AE C1 52 66 SA EF ES 02[50 48 o1 o2|14]00]14 00]00 00] 08 oo| E2 EnS i i ii s 
154: [AE 78 47[93 E9[C9 9E 6500|00 00] 72 00/00 00|0A 00] 00 00) 00 00] 00 > Version Info o 
|176: [oolo1 00|20 0 00 00/00 00/00 00 62 GF 62 62 7952 2E 74|78 74/50 
198: [48 @5 06] 00 00[00 00/01 00]01 00/38 00 00 00]80 0 00 00) 00 a Flag Typ None H 
1 Compre DEFLATE 8 


‘Sector Offset: 0x0 (0) Position: OxA (10) Selection: 0x4 (4) 


0x9EC9E993 
101 18 
na 2 
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In the previous example, a zip archive file was selected and by choosing the Data Structure 
option, the zip file data structure is revealed. All the parts of the data structure from the 
template are shown to the user including the element name or variable, which is spelled out for 
the benefit of the user, the value of that item, the position from the beginning of the file and the 
size of the particular structure. This allows a deeper view into otherwise overlooked data 
structures. The template data returns a color coding for specific data types which can be chosen 
by the user as well as highlighting forensically important items such as dates and times, 


usernames, paths, etc. 


The data structure is made up of a series of variables and selecting a variable in the list shows 
which hex bytes correspond to that variable [in the image above, the variable DOS Date & Time 
corresponds to the hex bytes E2 4E 78 47 at position 10). Highlighting either the hex data or the 
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variable will change the other component. In addition, the Data Interpreter view can be selected 
and the corresponding data will be displayed there as well. 


Si ue strings (Preview $ Metadata ` $ Location ` A Record Data Interpreter © Data Fork 
000: | |50 48 03 04| 14] 06] 00 00/08 0OlEZ 4E1778 47193 E9 C9 9E|65 00 00 00 = ae 
|022: |72 20 0 oaoa 00/00 00/62 GF 62 62 79 52 2E 74 78 74/1 CA 3B 0E yes. E 
|044: [84 30 OC 45 D1 DE 92 F7 FO 56 90 05 4C 07 35 50 32 75 3E 1E 14 69 SS 
| 066: |82 AS 24 96 60 F7 7C BA 2B 9D 3B ES D6 F1 D3 BA 51 43 38 3F 4C 4C. 
|088: |8B 48 42 D1 2A 90 12 FE 52 9A 73 EE 55 9C 6A D8 1F ED 8A 4D Al D6 DI? gen 
110: (E1 37 9F 77 07 30 8D F3 97 69 88 D1 AA 67 9A E4 BO C6 34 4B 80 92 ieg me 
132: ||E4 AE C1 52 66 SA EF EE S 5 
154: [1E 78 47[93 E9]C9 9E 6500|00 00] 72 0000 00|0A 00] 00 00) 00 00) 00 Y Date/Time 
i76:) 00/01 00) 20 00 00 00/00 00/00 00 G2 GF 62 G2 7952 ZE 74/78 74/50 
198: [48 05 06] 60 60[e0 00/01 00]01 00] 38 00 00 00|80 00 00 00) 00 00 Chrome 1601-01-01 00:19:59 (UTC) 
| Cocoa/Webkit 2038-12-31 02:07:30 (UTC) 
Cocoa Nar d: 
| pos 2015-11-24 09:55:04 (722) 
FILETIME 
| Firefox 1970-01-01 00:19:59 (UTC) 
1 
| Java 1970-01-14 21:04:26 (UTC) 
ore 
osx 1941-12-30 02:07:30 (UTC) 
Unix 2007-12-31 02:07:30 (UTC) 
-30 
226 
20194 
20194 
1199066850 
Decimal E Sector Offset: 0x0 (0) Position: OxDB (219) Selection: 0x4 (4) Little Endian 


Templates for .zip, .tar, .sqlite, .bmp, .jpg, .gif, .png, avl, .mp4, and .lnk files are included with 
Inspector as well as templates for parsing HFS Catalog Records, MFT Records, FAT32 Records, 
Partition Tables, and boot sectors. It is not difficult to write your own template for Inspector to 
use. 


ese EA inspector Case.inspector 


E kreeseUSSFDesktop.£01 


2048 124352 
126400 142572568 
143699968 xg 
143699968 ` 

SE 2087 
143702016 611952 
149843968 10237952 
160081920 2608 


E @coorcaue 


DOme 
v AcTIITY = 
Evidenco status 
D e m 
eege == a 
a m 
Taos 
Di 4 
aaa 2 
CONTENT SEARCHES 
Am a 
“sw 
INDEX SEARCHES 
Di 1 
er 1 
investionrivenores EB 
as 1 
Di 1 
E a7 00 30 7F 
. OFTFETFETFF 00 80 90 08|00 CO SD 70 Ce Windows NTFS [05.450 1 
Field | Value E gem e 
452 1 
asa 1 
asa 4 
asa 4 
e e 
97 az 97 97 97 97 a7 a7 97 97 47 a7 a7 a7 97 a7 a7 97 a7 97 97 a7 97 a7 ep A 


Decimal Sector Offset: (00) Physical Sector: (00) Logical Sector: (00) Selection: (04 218) 


20210310.000558-99b0e44 


Templates are written in Python and are very flexible since they may include if, for, or while 
statements as well as functions or complex expressions. A template is executed as a program, 
starting from the first line of the file. Data from that file is passed in from Inspector as a stream 
object and can then be read by the python template which will return the data structure for 
display back to Inspector after the data stream has been parsed. 


The templates that come with Inspector (compatible with Python 3.8.2] are not designed to be 
altered by the user. Rather, users can create their own templates and place them in the 
following locations. 


e macOS: /Users/<username>/Library/Application Support/Cellebrite Tech/Template Scripts/ 
e Windows 10: C:\Users\<username>\AppData\Roaming\CellebriteTech\Template Scripts 
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The built-in templates can be overridden by user-based templates. Templates work based on the 
extension of a file. In other words, the templates are named: extension_template.py where 
extension is the extension of the file the template Is parsing. For example, a file with a .png 
extension would use a template named png_template.py. The following example demonstrates a 
simple PNG template. This template is designed to parse the chunk structure of a PNG image 
file. 


#!/usr/bin/python 

# =*= coding: utf-8 =*= 

Tn 

File: png_template.py 

Author: Cellebrite 

Version: 1.0 

Purpose: Template for parsing PNG structures. 


Category: Image 

Signature ID: 89 50 4E 47 OD OA 1A OA // &PNG 
History: 

150 Cellebrite Initial release 


from Dr framework import * 


def analyse stream(stream): 
#PNG Files are Big Endian 
stream.little endian = False 


# read the first 8 bytes which are the PNG signature 
sig = woe 
tiy: 
sig = stream.read bytes (8) 
except: 
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if sig != b\x89PNG\r\n\xla\n': 
root = TemplateField( "Invalid PNG Data", 0, stream.length(), "" ) 
return root 


#create root field for PNG 
root = TemplateField( "PNG", 0, stream.length(), "" ) 


# create signature field and append to the root field 
signature = TemplateField( "Signature", 0, 8, sig ) 
root.append (signature) 


# Loop through the chunks until we get to the end. 
try: 
while stream.position < stream.length(): 

# Read the chunk length, type, data and a checksum 
chunk start = stream.position 
chunk length = stream.read_uint32 () 
chunk type = stream.read utf 8( 4 ) 
stream.position = stream.position + chunk length # Just move the position 

rather than reading the data 
chunkCRC = stream. read_uint32() 


# Add a field for this chunk 
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chunk = TemplateField( chunk_type, chunk start, chunk length + 12, "" ) 


Add 12: 4 bytes each for length, type and CRC 
root.append (chunk) 


# Each chunk has 3 or 4 sub fields: size, type, possible data and CRC 


# Add size sub field 


chunk.append( TemplateField( "Chunk Size", chunk start + 0, 4, 


chunk_length) ) 
# Add type sub field 


chunk.append( TemplateField( "Chunk Type", chunk start + 4, 4, 


chunk _type) ) 
# Add data sub field 
if chunk length != 0: 
chunk data_field 
chunk length, b'' ) 
chunk.append (chunk data_field) 
# Add CRC sub field 


if it's non-zero 


= TemplateField( "Chunk 


chunk.append( TemplateField( "Chunk CRC", chunk start + 8 + chunk length , 


4, chunkCRC) ) 


Data", chunk start + 8, 


ad_uint32 template ("Height") ) 
ad_uint8 template("Bit Depth") ) 
ad_uint8 template("Color Type") ) 
ad_uint8 template ("Compression 


if chunk_type == "CgBI": 
chunk.value = "iOS PNG" 
elif chunk_type == "IHDR": 
chunk.value = "Image Header" 
# Move the stream position back so we can read data 
stream.position = ( stream.position - chunk length - 4 ) 
for CRC 
chunk data_field.append(stream.read_uint32_ template ("Width") ) 
chunk data _field.append(stream.r 
chunk data_field.append(stream.r 
chunk data_field.append(stream.r 
chunk data_field.append(stream.r 
Method") ) 
chunk data_field.append(stream.read_uint8 template("Filter Method") ) 
chunk data_field.append(stream.read_uint8 template ("Interlace 
Method") ) 
# Reset the position to where it was 
stream.position = stream.position + 4 
elif chunk type == "IDAT": 
chunk.value = "Image Data" 
elif chunk type == "IEND": 
chunk.value = "Image Trailer" 
except: 


import logging 

logging.exception( "error") 

if TemplateField.last_append == None: 
root.append( TemplateField( "Invalid PNG 


)) 


else: 


Data", stream.length(), 0, 


lastValidPos = TemplateField.last_append.position + 


TemplateField.last_append.size 
root.append( TemplateField( "Invalid PNG 
stream.length() - lastValidPos, "" )) 


Data", lastValidPos, 


# 4 accounts 
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return root 


def process( file name = "" ): 


# create the stream 

stream = BBTStream(file name) 
# analyze the stream 

root = analyse stream(stream) 
# display the result 
root.display () 


if not BBTFunctionsAvailable: 
process( "sample.png") 


Note: Template scripts must import the bbt_framework module. 


There is currently one other module that can be included for assisting with dates and times. This 


can be accomplished by importing the datetime_helpers module. 


These are the basic template structure definitions. 


stream - The input stream (i.e. reading the file from position N, where N is either the start 
of the file or some positional offset) 

o stream, position The current location of the read in the stream 

o stream.length() The length of the entire input stream 

Little Endian vs Big Endian - Data is translated based on Little Endian by default. To 
translate based on Big Endian, add the following to the beginning of 

def analyse_stream(stream) 


stream. little endian = False 


root - The root field for the Template view 
Creating the root field is done by defining a new Field with the name root, which has the 
length set to the entire input stream: 


root = TemplateField( "<NAME OF STRUCTURE>", ©, stream.length(), "" ) 


o root.append(defined Field) Appends a simple or complex field to the root field 
of the Template view 
o return root Returns all of root 
def analyse _stream(stream) Wrapper for the functions that analyze the input stream 
and render data for the Template view 
def process( file_name = "" 
displays the results within Inspector itself 


TemplateField is defined as (name, position, size, value, significant=False). 


2 Cellebrite 


name = The name of the field that will be visible in Inspector in the Data Structure view itself 
position = The start byte based on the stream’'s current position (i.e. If the stream's 
current position is 0, and this value is set to 4, the start byte for this TemplateField will be 
byte number 4). 

size = The size in bytes of the defined object (depends on object type) 

value = The actual interpreted value of the data based on the position and size 
significant = Is this value forensically significant (Subjective) 


) Wrapper for the function that runs analyse_stream and 
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Object types: 


read_bytes(self, count) Read the input stream and return the bytes of that stream 


Note: bytes that can be rendered in ASCII will be rendered; the rest will show their raw hex value 
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read_ascii(self, count) Read the input stream and return the ASCII representation of 
that stream 

read_utf_8(self, count) Read the input stream and return a UTF 8 string 
representation of that stream 

read_string(self, count, encoding) Read the input stream and return a string of the 
analyst's defined encoding 

read_string null_terminated(self, encoding="") Read the input stream and return 
a string based ona null terminator and of the analyst's defined encoding 
read_uint8(self) Read the input stream and return an 8-bit unsigned integer 
read_int8(self) Read the input stream and return an 8-bit signed integer 
read_uint8_template(self, name, significant=False) Read the input stream for an 
unsigned 8-bit integer and return a templatefield (Preferred method for getting a value as it 
tracks the position for you) 

read_int8 template(self, name, significant=False) Read the input stream for an 
signed 8-bit integer and return a templatefield 

read_uint16(self) Read the input stream and return a 16-bit unsigned integer 
read_int16(self) Read the input stream and return a 16-bit signed integer 
read_uint16_template(self, name, significant=False) Read the input stream for 
an unsigned 16-bit integer and return a templatefield (Preferred method for getting a value 
as it tracks the position for you] 

read_int16_template(self, name, significant=False) Read the input stream for a 
signed 16-bit integer and return a templatefield 

read_uint32(self) Read the input stream and return a 32-bit unsigned integer 
read_int32(self) Read the input stream and return a 32-bit signed integer 
read_uint32_template(self, name, significant=False) Read the input stream for 
an unsigned 32 bit integer and return a templatefield (Preferred method for getting a value 
as it tracks the position for you] 

read_int32_template(self, name, significant=False) Read the input stream for an 
signed 32 bit integer and return a templatefield 

read_uint64(self) Read the input stream and return a 64-bit unsigned integer 
read_int64(self) Read the input stream and return a 64-bit signed integer 
read_uint64_template(self, name, significant=False) Read the input stream for 
an unsigned 64-bit integer and return a templatefield (Preferred method for getting a value 
as it tracks the position for you} 

read_int64_template(self, name, significant=False) Read the input stream for an 
signed 64-bit integer and return a templatefield 

read_bool(self) Read the input stream and return a boolean 

read_single(self) Read the input stream and return a single float 

read_double(self) Read the input stream and return a double float 

read dos date _template(self, name, swapBytes, tz_offset_minutes, 
tz_unknown=False, significant=False) Return the DOS date and time from a 4-byte 
input stream which defaults to an unknown timezone since DOS dates are local. 
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e read_win_filetime_template(self, name, tz_offset_minutes, 
tz_unknown=False, significant=False) Return the FILETIME from an 8-byte input 
stream. 

e read_mac_date template(self, name, tz_offset_minutes, tz_unknown=False, 
significant=False) Return the Mac OS Date and Time from a 4-byte input stream 

e read_unix_date_template(self, name, tz_offset_minutes, tz_unknown=False, 
significant=False) Return the Unix Date and Time from a 4-byte input stream 


You can change the template colors in Inspector on the Templates tab in the Preferences. For 
more information, see Inspector Preferences or Options. 


@ Preferences x 


General Options Report Export Dialogs Templates Project VIC 


Type Regular Significant 
bytes | 00 00 00 00 00 00 00 00 
datetime [ 00000000 || 00000000 |] 
fileslack [00000000 II 00000000 | 
float 00 00 00 00 00.00 00 00 

int 00 00 00 00 00 00 00 00 
long | 0000 00 00 00 00 00 00 
NoneType [00000000 || 00000000 
ramslack IT: 

str | 00000000 00 00 00 00 
unicode | 0000 00 00 00 00 00 00 SS 


Back Color: | EQEOEO | | 


EE |{ | 


Text Color: [000000 "Woo | 


Reset bool to Default Reset All to Default 


The standard data type colors which are returned by the template can be changed in this view. 
Highlight the datatype that needs to be changed and choose the back color and/or the text color 
to be altered. If the color block is selected a standard OS color picker will be displayed for color 
selection. Hex color values can also be entered manually within the text blocks. If a color needs 
to be reset to the default value for a single item, select that item and click Reset <type> to Default 
where <type> is the selected data type. To reset the entire color scheme to the default, click 
Reset All to Default. 
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Go To Position in Hex View 


The hex view has a position jump feature that allows the ability to move to a specific position 
(offset) within a file. There are three ways to change the position. The first and easiest is to use 
the Go to Position field on the bottom of the Hex tab view. The other two ways are through either 
the context menu or the Edit menu. Either of these will have the Jump to Hex Offset option, to let 
you enter a position to move to. 


Hex Æ Strings [H Preview $Œ Metadata ` $ Location ` A Record Data Siructune © || Data Fork 


3 73 74 30 30 D4 00 O1 00 02 00 03 00 04 00 05 OO 


e 


jersionx$object | 
"arr 


Së 


SC e O2 4E 02 4F 58 24 76 65 72 73 69 GF GE 58 24 GF 62 GA 65 63 

24 61 72 63 68 69 76 65 72 54 24 74 GF 70 12 00 01 86 AO AF 10 9F 00 07 00 08 BO 15 00 16 0 17 OB 29 00 39 00 45 00 46 

00 48 00 51 00 55 00 58 00 SE 00 62 00 66 00 71 0 72 00 73 00 74 09 79 BO 7C 00 83 0O 88 00 90 00 91.00.94 0097 009C.G. 

00 9E 0 A1 00 AG 00 AF 00 B6 0O B7 GO BA OO BE GO C1 00 CB OO CE 0O D3 0O D4 OO DS 0O DE GO DI 00 E1 00 E4 00 ES 00 EB 

00 ED 00 FO 00 F8 00 FB 00 FF O1 02 01 03 01 04 01 07 01 OF 01 12 01 16 01 19 01 1A 01 1B 01 1E 01 25 01 28 01 2C O1 2F 

01 3C 01 3D 01 3E 01 3F O1 42 01 45 01 46 01 47 01 4F 01 52 01 56 01 59 01 SA 01 SB 01 SE 01 66 01 69 01 GD 01 70 01 71 

01 75 01 7D 01 80 01 84 01 87 01 88 01 89 01 BC O1 94 01 97 01 9B 01 JE O1 OF 01 AO O1 A3 Ol AB O1 AE 01 B2 01 BS 01 BG 

01 BA 01 C2 01 C5 01 C9 01 CC 01 CD 01 CE 01 D1 01 D9 01 DC 01 EO 01 E3 01 E4 01 ES 01 E8 01 FO 01 F3 01 F7 01 FA 01 FB 

O1 FF 02 OA 02 OD O2 11 02 14 O2 1A 02 1D 02 1E 02 IF O2 23 02 27 O2 28 02 2A OZ 3A O2 3B OZ 3C O2 3D 02 3E 02 3F 02 40 

02 4A 02 4B 55 24 GE 75 6C 6C D2 00 09 00 GA 00 OB OD OC 56 24 63 GC 61 73 73 SA 4E 53 2E GF 62 GA 65 63 74 73 80 93 AB 

00 OE 00 OF 00 10 00 OE 00 12 0 OE 0O OE 80 02 80 03 80 04 80 91 80 03 80 92 80 03 80 03 53 41 49 4D 50 D2 00 09 00 OA 1 
00 19 80 90 AF 10 OF 0O 1A 00 1B GO 1C OO 1D GO 1E OO 1F GO 20 BO 21 GO 22 BO 23 GO 24 BO 25 GO 26 00 27 BO 28 80 05 80 

2E 80 35 80 3C 80 43 80 50 80 57 80 SE 80 GS BO GC 80 73 80 7A 80 81 80 88 D8 AO 2A 00 2B 00 09 OO 2C OO 2D 00 2E 00 ZF 

00 31 00 32 00 33 00 34 00 35 00 36 00 37 OO 38 55 46 GC 61 67 73 54 47 55 49 44 SB 4D 65 73 73 61 67 65 54 65 78 74 54 

GD 65 56 53 65 GE 64 65 72 SF 10 OF 4F 72 69 67 69 GE 61 GC 4D 65 73 73 61 67 65 55 43 GF GC GF 72 10 01 80 1E 80 20 80 —_TimeVSender_. .OriginalMessageUColor....... 
OB 80 06 80 1D 80 1F DG 00 3A OO 38 00 3C OO 3D 00 09 OO 3E OO 3F OO 40 GO 41 20 42 00 43 00 OD 59 41 63 63 GF 75 GE 74 

SE 53 65 72 76 69 63 65 4C GF 67 69 GE 49 44 52 49 44 SC 41 GE GF GE 79 6D GF 75 73 4B 65 79 5B 53 65 72 76 69 63 65 4E 

65 80 07 80 08 80 09 O8 80 OA 80 O2 SF 10 24 33 43 33 30 35 32 43 34 2D 33 45 30 41 2D 34 30 30 36 2D 41 39 41 46 2D 

32 35 46 31 45 38 38 35 36 SF 10 13 6A 62 65 GE GE 65 74 74 SF 6D 61 63 40 GD 65 2E 63 GF GD SA 6C 65 GF 70 61 72 64 62 


‘Sector Offset: Ox7F (127) Position: 0x7F (127) Selection: 0x1 (1) 


(1of 106) - /Racer - Data/Users/josh/Documents/iChats/2010-12-01/leopardbbt on 2010-12-01 at 15.38.ichat 


Type the position to jump to in the Position box, and Inspector shifts the position highlight to the 
numbered position. If a position is entered which does not exist, then Inspector highlights the 
last possible position to indicate there are no more positions to see. You can select whether to 
enter the position in decimal or hexadecimal notation. 


Metadata @ Location ` A Record Data Structure B © _ bata Fork B! 

00 BB 00 SC 01 BI 80 27 80 IC 80 GF D2 00 03 00 SF 00 6ð 01 B4 80 OF S6 74 72 73 63 GE 67 SE ep. Meute | 
32 39 34 35 37 2D 45 43 41 36 20 34 42 39 32 2D 39 41 37 32 20 39 42 30 41 35 42 41 34 30 
00 31 @1 B9 80 15 4F 10 27 30 2E 39 32 31 35 36 38 36 33 32 31 20 30 39 32 31 35 36 38 
38 36 33 32 31 00 D8 00 2A 00 2B 00 09 00 2C 00 20 00 2E 00 ZF 0 30 00 A7 01 BB 00 33 01 

20 80 75 80 74 80 22 80 77 80 79 D2 08 52 00 @1 C3 00 54 23 41 B2 F8 46 25 54 A8 80 | 
@1 C8 80 27 80 1C 80 76 D2 00 09 00 SF 0 GO 01 CB 80 OF 57 69 27 6D 20 GF 75 74 57 69 27 
36 38 36 39 2D 43 45 41 43 2D 34 38 37 41 20 42 39 36 20 39 38 33 34 33 41 43 37 37 
31 01 00 80 15 4F 10 27 30 2E 39 32 31 35 36 36 33 32 31 20 30 32 31 35 36 38 36 
36 33 32 31 00 D8 00 2A 00 28 00 09 00 2C 00 20 00 2E 00 2F 00 30 @1 D2 00 33 01 04 
80 7C 80 7B 80 22 80 7E 80 80 D2 00 52 00 09 01 DA 00 54 23 41 82 AA AD 37- oc 

DF 80 27 80 1C 80 7D D2 00 09 00 SF 00 60 01 E2 80 OF SF 10 15 69 6F 74 24173) Pa 65 i 
SF 10 15 69 20 67 6F 74 20 73 74 65 61 6C 6E 67 20 74 6F 20 64 d 37 36 
33 34 32 20 39 44 37 39 2D 34 43 41 39 37 30 32 41 33 os 0 75 00 76 00 77 
32 31 35 36 38 36 33 32 31 20 30 2E 39 32 e36 33 31 2E 39 32 31 35 36 
09 09 2C 00 20 00 2E 00 2F 00 30 of 500 33 01 EB 01 EC 00 EE 01 EF 80 86 80 
00 52 00 09 01 KI A6 F8 4C 00 00 00 80 OC D3 59 00 SA 00 SB 00 SC 
SF 00 60 01 £9-80-UF 57 73 65 65 65 20 79 61 57 73 65 65 65 20 79 10 24 41 45 32 39 
2-26-20 42 31 33 46 20 36 33 33 43 45 46 39 35 45 33 37 32 D3 00 09 00 75 00 76 00 77 00 
30 39 38 30 33 39 20 30 2E 37 30 39 38 30 33 39 32 31 36 20 30 2E 37 34 39 30 31 39 
erg 


SÉ | Position: Ox14FD (5373)| Selection: 0x1 (1) 


(1of 106) - /Racer - Data/Users/josh/Documents/iChats/2010-12-01/leopardbbt on 2010-12-01 at 15.38.ichat 


Recovered SQLite Records 


Cellebrite Inspector attempts to recover deleted records from SQLite databases automatically. If 
a view exists for a Specific SQLite database, such as the Messages sub-view, then any full, intact, 
or recovered records will be displayed in the Content pane. Recovered records are highlighted in 
red italics, denoting that they were at one time deleted records that have now been recovered. 


Many partial items can also be recovered from SQLite databases. These partial fragments can be 
seen in the File Content view under the Preview tab. An SQLite database must be selected, and 
when you click Preview, the tables for the SQLite database display along with a table named 
Recovered Fragments. 


The Recovered Fragments table is not part of the SQLite database. It is designed to display any 
recovered fragment data that cannot be placed into specific cells or columns, as there is no 
context for where the fragments originally existed. Like text items, these fragments can be 
tagged and placed into the report. When tagged, the tag icon appears next to the selected items. 
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Viewing Embedded .plist Data and .jpg Pictures 


When a .plist contains embedded .plist data, you can see that data in the File Content view. 
Select a .plist that contains embedded .plist data, and click Preview in the File Content view. 
Embedded .plist data is denoted in the Type column. You can expand items to reveal .plist data. 


e Ona Mac computer, click the disclosure triangle. 
e OnaWindows computer, click +. 


You can also expand all data within the .plist. 


e Ona Mac computer, press OPT while you click the disclosure triangle to the left of Root. 
e OnaWindows computer, press ALT while you click + to the left of Root. 


Sites strings ` D Freien $ Metadata @ Location ` A. Record 
Key Type Value 


r — 80211DIE Dictionary (1 item) 
80211W_ENABLED Boolean True 


API /OW_SUPPORTED 
APPLE_IE WSC_CAP Boolean 


Number 


BEACON_INT Number 20 


You can also see .jpg files that are embedded in a .plist. Click <View Picture> in the Value column, 
and the embedded .jpg opens in a new Plist Picture window. 


Siten Strings Preview $ Metadata Location ` A Record 


Plist Data 


When a database contains .plist data, you can see that data. In the File Content view, select a 
database that contains .plist data and click Preview. Select a table in the left side and then click 
<View Plist> to the right. A separate Database Plist window appears where you can also show or 
hide .plist data. 


Eivex strings [Preview Metadata Location ` A. Record 
Tables Enter a valid sqlite query or double-click a table in the list to the left 
_SqliteDatabaseProper 
message 


sqlite_sequence 


Gen ROWID ^ guid style state accountid properties chat Men. service_n... room_name account... 
attachment sl iMessage;-;... 45 3 0451CB3B-... <View Plist> +14083917... iMessage E:jbennett_, 
handle 2 SMS;-;+140... 45 3 5FE82478-... <View Plist> +14083917.. SMS E 

message_attachment_, 3 iMessage;-;... 45 3 0451CB3B-... <View Plist> donniea01... iMessage E:jbennett_. 
chat_handle_join 4 iMessage;-;... 45 3 0451CB3B-... <View Plist> godzillin@ic... iMessage E:jbennett_. 
chat_message_join 5 iMessage;-;... 45 3 0451CB3B-... 412404946... iMessage E:jbennett_. 
deleted_messages 6 iMessage;-;... 45 3 0451CB3B-... bobby.rodri... iMessage E:jbennett_. 
sync_deleted_message a AIM;-jg.fault 45 3 3C3052C4-... g.fault AIM jbennett_m. 
message_processing_t 8 SMS;-;50472 45 3 5FE82478-... <View Plist> 50472 SMS E 

sync_deleted_chats H iMessage;+... 43 3 0451CB3B-... <View Pist: chat95331... iMessage chat95331...  E:jbennett_. 
sync_deleted_attachm: 10 iMessage;-;... 45 3 0451CB3B-... <View Plist> +14082500... iMessage E:jbennett_. 
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You can also see .jpg files that are embedded in a database. In the File Content view, select a 
database that contains a .jpg file and click Preview. Select a table in the left and click <View 
Picture> to the right. The .jpg opens in a new Database Picture window. 


Managing List Views 


Cellebrite Inspector allows for secondary sorting of columns. In most views that contain 
columns, clicking on a column header toggles between sorting by that column in ascending or 
descending order. A single arrow in the column header denotes a primary sort, as well as 
indicating the direction (up for ascending or down for descending). 


You can add a secondary sort by pressing SHIFT while you click a second column header. A set of 
double arrows are shown to denote a secondary sort. You can remove a secondary sort by 
clicking a column of choice for primary sorting. 


Date Created ^ Date Modified a 
2014-10-01 (UTC) 2014-10-01 (UTC) 
2014-12-27 (UTC) 2014-12-27 (UTC) 
2014-12-28 (UTC) 2014-12-28 (UTC) 


Column Reordering 


You can reorder columns by clicking View > Adjust List Columns. 


f View | Manage Window 


Adjust List Columns... 


Show File Info 


ver E: ~ 
mel TI UN Vw 
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A separate window opens. Select and drag each item in the list to the appropriate order. Each 
item can also be shown or hidden by activating or deactivating its checkbox in this list. When you 
have finished making changes, click Apply Changes. The columns now appear in the specified 


order. 


@ Adjust List Columns 


Drag Rows To Reorder 


Column 


Tagged State ` (fixed) 
Evidence ID (fixed) 


BL ID 

FS ID 

Name 

Size 

MD5 

Date Created 
Date Modified 
Date Accessed 
Date Added 
Version Index 
Extension 
Content Extension 
Path 

Directory 
Locked 

Hidden 
Category 
SHA1 

SHA256 
Entropy 


Reset List To Defaults 


Cancel 


< 


isible 


Sescecsssssssssgsssss 


8 


To return columns to the default appearance, click View > Adjust List Columns, click Reset List to 
Defaults, and then click Apply Changes. 
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Settings, Preferences, and Options 


Cellebrite Inspector displays date, time and numeric attributes according to the settings for the 
operating system on the analysis computer. These settings determine how Inspector displays 
information in various views, as well as how some data is reported. It is important that these 
settings are appropriate for any given case. 


Separately from that, you can manage preferences and options within Cellebrite Inspector itself. 


e Inspector Preferences or Options 
e System Preferences on Mac Computers 
e System Settings on Windows 10 Computers 


Inspector Preferences or Options 


You can manage preferences and options for Cellebrite Inspector such as the default evidence 
list font size, IOS device deleted record recovery behavior, examiner report appearance, data 
export options, and search options. These are different from preferences or options for your 
operating system. 


e Inthe menu bar for a Mac computer, click Inspector > Preferences. 
e Inthe menu bar for a Windows computer, click Edit > Options. 


The Preferences window appears. 
These are the tabs on the Preferences window. 


e General Tab 

e Options Tab 
o Processing Options 
o Search Options 


e Report Tab 
e Export Tab 
e Dialogs Tab 


e Templates Tab 
e Project VIC Tab 
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General Tab 


On the Preferences window, click General. 


@ Preferences x 
General Options Report Export Dialogs Templates Project VIC 
Font size for lists 
Default ~ 


Font for File Content View text display 


Default v 


Use Monospace Font 


Language 


English ~ 


Hash Comparison 


SHA-1 SHA-256 


In the Font size for lists field, you can increase or decrease the default font size for lists in 
Inspector. This setting affects several views of the Content pane. It does not change data export 
font settings or font settings in data views that do not display data as a file list. 


In the General tab, you can also change the font size for the File Content view and change the 
language. 
Full Disk Access is a security feature in versions of macOS 10.14 {Mojave} and higher. It must be 


enabled for Inspector to function properly on Mac computers. When Full Disk Access In enabled, 
it is shown in the General tab. If it is disabled, you can click Enable Full Disk Access. 


The General tab also provides options for Hash Comparison. Hash sets in Inspector can contain 
one or all of MD5, SHA-1 and SHA-256 hash values. By default, Inspector performs hash 
comparisons using MD3. You can mark the checkboxes for SHA-1 and SHA-256 to allow Inspector 
to perform hash comparisons using those hash values. 
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Options Tab 


On the Preferences window, click Options. 


@ Preferences x 


General Options Report Export Dialogs Templates Project VIC 


iOS Devices 


V] Recover Deleted SQLite Records 


Processing Options 


Max Number of Processors to Utilize: 4 v 


Remember Ingestion Options 


Microsoft Symbols Settings... 


Search Options 


| Deduplicate Hits Across Volume Shadow Copies 


Indexed Search Memory Size (MB): (default - 2048) 


Memory size changes take effect when opening a case. 


Embedded HTML Links 


Follow URL Links 


You can mark or unmark the Recover Deleted SQLite Records checkbox. Marking this box allows 
Inspector to automatically recover deleted iOS records from SQLite databases. The iOS Recover 
Deleted SQLite Records checkbox should remain marked unless problems occur while running 
Inspector. 


Processing Options 


Inspector takes full advantage of machines with multi-core CPUs during device acquisition and 
searching. To manually set the maximum number of processors for Inspector to use, in the Max 
Number of Processors to Utilize field, choose a processor number. This change is effective for 
future ingestion, parsing, and searching. To make this change effective immediately, restart 
Inspector. 


Mark the checkbox for Remember Processing Options if appropriate. When this option is marked, 
you can select custom ingestion options for a specific attached device [in the right portion of the 
Add Evidence window], cancel and close the case, then later reopen the case to find the 
processing options have been remembered in the Add Evidence window. 


For information about Microsoft Symbols Settings, see Adding a Memory File. 
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Search Options 


This section contains options for both Content searches and Index searches. The Deduplicate Hits 
Across Volume Shadow Copies option applies to Content keyword searches. For more information, 
see Content Keyword Searches. 


The Indexed Search Memory Size (MB) option relates to the amount of memory allocated to SQLite 
FTS5 Extension, used by Inspector for indexing and index searches. The default setting allocates 
2 GB (2048 MB) but can be increased or decreased. The minimum is 512 MB, the maximum is 
100 GB. When Index Search Memory Size (MB) is changed, Inspector must be restarted for the 
new settings to take effect. Keep in mind, changing how much memory is allocated may affect 
the overall performance of Inspector and any other software you are running on your system. As 
the SQLite FTS5 Extension is only used for indexing and index searches, running other Inspector 
processing options separately enhances performance. For more information, see Index 


Searching. 


In the Embedded HTML Links section, you can mark or unmark the checkbox to Follow URL Links. 
When this checkbox is not marked, no attempts are made to access external domains. This 
affects portable bases as well as for cases within Inspector as well as generating reports. 


Report Tab 


On the Preferences window, click Report. 


G@ Preferences x 


General Options Report Export Dialogs Templates Project VIC 


Chat Message Report Format 


@ Conversation View 


O List View 


Censored Picture Caption 


Sensitive 


Tag Narrative Report Caption 


Narrative 


Create previews for tagged email (Will slow report generation) 


NOTE: Email previews will not be created if the ‘Export’ checkbox is not 
checked in the Report view 


You can choose the way SMS/MMS [chat] messages appear in the examiner report. The chat 
format preference has two settings. 


e Select Conversation View to display chats in the examiner report the same way they appear 
natively on an iOS or Android device screen. 
e Select List View to display chats in a list format. 
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To customize censored picture captions and tag narrative captions, type the desired caption text 
into the Censored Picture Caption and Tag Narrative Report Caption fields respectively. 


To enable email previews within reports and portable cases, mark the Create previews for tagged 
email (Will slow report generation) checkbox. 


Export Tab 


On the Preferences window, click Export. 


@ Preferences x 


General Options Report Export Dialogs Templates Project VIC 


Tab Delimited Data Export - Use 


Spaces X 


CSV Delimited Data Export - Use 


No Replacement {v 


Exporting Files 


Export alternate data stream (ADS) with file content 


Dedupe Hard Links 


L01 Segment Size (MB) 


D {v 


You can specify default file export settings. You can select and export data from the Content pane 
to a delimited text file, but this process requires some preliminary data manipulation. If a data 
cell contains non-printing characters (tabs, carriage returns, or line feeds), a clean tab or line- 
delimited export fails unless these characters are replaced or “escaped” prior to export. 
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For a tab-delimited data export, these are the available data export settings. 


Option Description Tab CSV 
Delimited Delimited 
1 | Spaces Replaces all non-printing characters with | v V 
spaces 
2 | Escaped with \t | Replaces tabs with \t JV JV 
and \r Replaces both carriage returns and line 


feeds with \r 


3 | <TAB>, <EOL> Replaces tabs with <TAB> JV v 


Replaces both carriage returns and line 
feeds with <EOL> 


4 | <TAB>, <CR>, This option treats both types of end-of- vV v 
<LF> line characters as separate entities. 


Replaces tabs with <TAB> 
Replaces carriage returns with <CR> 


Replaces line feeds with <LF> 


5 | No Replacement | Does not replace non-printing characters V 


The Tab Delimited Data Export option is set to escape using Spaces by default, and the CSV 
delimited export option is set to not replace non-printing characters by default. These default 
settings work under most circumstances and should be used if you are unsure about which 
settings to choose. 


In the Exporting Files section, you can manage several options. 


NTFS files may contain alternate data streams (ADS). When exporting an NTFS file, if Export 
alternate data stream (ADS) with file content is selected, the ADS will be exported with the file. 


To export only unique files from a Time Machine backup, mark the checkbox for Dedupe Hard 
Links. 


Time Machine backups, including the backups stored on a Time Capsule, contain incremental 
backups of a macOS system. These backups are stored in the folder Backups.backupdb, which 
stores date/time folders for each backup. On Time Capsule, the Backups. backupdb folder is 
stored in a Sparsebundle. Time Machine backups are incremental but use Hard Links to give the 
appearance of full backups in each date/time folder. Once the first backup is created, Time 
Machine creates Hard Links in subsequent date/time folders that serve as pointers to the 
original files. When the next backup is made, only the files that have changed are copied into the 
backup and Hard Links are created for files that are not changed. When Inspector processes a 
Time Machine backup, all the files and Hard Links are processed. Consequently, there can be 
millions of files and Hard Links in each Time Machine backup. When a folder is Exported from a 
Time Machine backup, the Hard Links are resolved, exporting the same file multiple times. 
Below is an Export from a Time Machine backup showing a Downloads folder. Notice the files 
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from the first snapshot (2010-11-29-052336) are also exported in the second snapshot (2010-12- 
28-011524). 


"7 Downloads 
a =hjo =. #- 4 a 


E Josh Bennett's MacBook =» [M 2010-11-29-052336 > 7 racer > "7 Users > E josh D 
B 2010-12-28-015524 D 


DS Store 


-localized 
[2] About Downloads.pdf 
a Adium_1.4.1.dmg 
& Firefox 3.6.dmg 
SS photo1-1.jpg 
©& photo) jpg 
SS pow54.jpg 


2336 > PR racer > MM Users > Mi josh > Bi Downloads 


@ Macintosh HD > BE Users > $ > E Desktop > PR Export > 9 Backups.backupdb > P Josh Bennett's MacBook 
8 items, 37.28 GB available 
E Downloads 


Soe | = O KS = Gë z3 


I Josh Bennett's MacBook > B 2010-11-29-052336 > racer r "7 Users 
= 2010-12-28-015524 > 


> E josh > "7 Downloads D DS Store 
localized 
2011 winter workout.doc 
{=| About Downloads.pdf 
a Adium_1.4.1.dmg 
& Firefox 3.6.dmg 
SE photo1-1.jpg 
ES photo jpg 
SS pow54.jpg 
=Œ tesla-electric-car.jpg 
S The Tesla is...some car.doc 


@ Macintosh HD > Mm Users > ® > E Desktop > Ml Export > Mim Backu 


When the same folder is exported with the Dedupe Hard Links option selected, the files that 
were Hard Links in the second Time Machine snapshot are not exported; only the new files are 
exported. 


E Downloads 
s = GH ES Es oe Ka 
E Josh Bennett's MacBook > M 2010-11-29-052336 > racer > "7 Users > B Joe D DS_Store 
B 2010-12-28-015524 > — localized 
[A About Downloads.paf 
= Adium_1.4.1.dmg 
@ Firefox 3.6.dmg 
SS photo1-1.jpg 
ES photot.jpg 
@ pow54.jpg 
u 
@ Macintosh HD > B Users > $ > ES Desktop > P ExportDeduped > Ñ} Backups.backupdb > Ñ} Josh Bennett's MacBook > Ñ} 2010-11-29-052336 > PR racer > Bi Users > B josh > PR Downloads 
8 items, 37.28 GB available 
E Downloads 
EE = SS 
T Josh Bennett's MacBook > @&@ 2010-11-29-052336 > "7 meer > © Users > "7 josh > © Downloads > SC 2011 winter workout.doc 
B 2010-12-28-015524 > = tesla-electric-car.jpg 
ET The Tesla is..some car.doc 
osh > ER Downloads 


>m p > lll ExportDeduped > PR Backups.backupdb > fill Josh Ber 


@ Macintosh HD > B Users > $ 


The L01 Segment Size (MB) field specifies the segment size for Logical Evidence Files. By default, 
the size is set to 0; this means that any data exported to Logical Evidence Files is not segmented. 
The other options are 100, 250, 500, 1000, 5000 and 10000 (MB). 
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Dialogs Tab 


On the Preferences window, click Dialogs. 


@ Preferences x 


General Options Report Export Dialogs Templates Project VIC 


v| Show Metadata selection dialog when tagging a file 


V| Show deprecated hash set warning dialog 


Reset Tip Dialogs 


Resets all Inspector Tip dialogs to display when appropriate. 


During the course of using Inspector, you can choose to hide dialogs. To show these dialogs 
again, click Reset Tip Dialogs. 

During the course of using Inspector, you can unmark the Always show this dialog when tagging 
files checkbox. However, if a user did this, you can override it by marking the checkbox for Show 
Metadata selection dialog when tagging a file. This ensures Metadata selection dialog always 
appears. 


To force the deprecated hash set warning dialog to always appear, mark the checkbox for Show 
deprecated hash set warning dialog. 
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Templates Tab 


On the Preferences window, click Templates. 


@ Preferences 


General Options Report Export Dialogs Templates Project VIC 


Type 
bool 
bytes 
datetime 
fileslack 
float 

int 

long 
NoneType 
ramslack 
str 


_unicode 


Back Color: 


Text Color: 


Reset bool to Default 


Regular 


Significant 


00 00 00 00 00 00 00 00 


00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 
00 00 00 00 
00 00 00 00 00 00 00 00 

| 00000000 || 00000000 | 
men |{ | |EoEoEO |{ | 

00000 "Weu | i 


Reset All to Default 


Workspace Orientation 


This lets you modify the color coding for data types shown in hex templates. For more 
information, see Hex Templates and Data Structure View. 
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Project VIC Tab 


On the Preferences window, click Project VIC. 


@ Preferences x 


General Options Report Export Dialogs Templates Project VIC 


Project VIC Country Selection 


Country 
US-United States ~ 


Exporting Data Models 


Default category for all uncategorized pictures 


0 - Non-Pertinent ké 


This tab provides setting selections for Project VIC Version 2.0 as well as older Project VIC 
versions and other data models. Project VIC Version 2.0 includes country data and corresponding 
category descriptions. Choose the appropriate country in the Country field under Project VIC 
Country Selection. These countries are available. 


e CA-Canada 
e CH-Switzerland 
e DK-Denmark 


e EE-Estonia 
e FR-France 
e NO-Norway 
e RO-Romania 
e SE-Sweden 


e UK-United Kingdom 
e US-United States 


You can continue support for older versions of Project VIC and other data models. Under 
Exporting Data Models, you can set a default category when exporting uncategorized images, 
videos, and thumbnails to a specific data model format. These are the supported formats. 


e Project VIC Version 1.1 
e Project VIC Version 1.2 
e Project VIC Version 1.3 
e Project VIC Version 2.0 
e BlueBear LACE 


e C4ALL 
e S21 
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System Preferences on Mac Computers 
These preferences should be set according to the user preferences. 
Language 


1. Click Apple > System Preferences. 
2. Click Language & Region [on older OSX computers, this is Language & Text). 
3. Select the appropriate default language and drag it to the top of the list. 


Region 
Different geographic locations treat date, time and numeric formats differently. In some parts of 


the world, dates are written with the day first, then the month and the year. In other parts of the 
world, the month is written first, then the day and the year. 


e In Language & Region preferences, select the appropriate location in the Region field. 
Inspector displays the new date, time and numeric format settings according to the new 
setting. 


Date and Time 


1. At the top of the Preferences window, click Show All to return to the main System 
Preferences window 

2. Click Date & Time. 

3. Choose one of these actions. 


e To manually set the current time zone and date, click the Date & Time tab. 
e Touse the automatic clock sync feature, click the Time Zone tab. 


000 Date & Time 
a >) [ Show Ai (Q y 


| Date & Time | Time Zone | Clock + 


To select a time zone, click the map near your location and choose a city from the Closest City menu. 
You can also have the time zone change automatically, if possible, based on your current location. 


Set time zone automatically using current location 


Time Zone: Central European Summer Time 


Closest City: The Hague - Netherlands M 


vd Click the lock to prevent further changes. ? 
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Time Format 


The Clock preference is the most important setting because it determines how Inspector 
displays timestamps. 


1. Click the Clock tab to set the time format. 
2. Choose one of these options. 


e 24-hour format 
e 12-hour format with AM and PM displayed 


System Settings on Windows 10 Computers 


One strategy concerning Time Zone configuration Involves setting the Forensic System to UTC, 
no adjustment for daylight savings. Since Inspector will assume the same time zone as the 
Forensic System, this configuration may make sense. This strategy is of particular benefit if 
there are time zone discrepancies or if the evidentiary system traveled between time zones. The 
benefit comes in having a baseline date/time to work with; one that does not adjust based on 
location or date. Once a particular timeframe of relevance is determined, all time conversions 
can be calculated from that standard UTC baseline. 


Set Time Zone and Disable Daylight Savings Time 


1. In the Windows search box, type time zone. 

2. Click Change the time zone. 

The Date & time page of the Settings window appears. 

In the Time zone field, choose the appropriate time zone. 

Toggle Off the setting to Adjust for daylight saving time automatically. 
Below Related Settings, click Date, time, & regional formatting. 

On the Region page, choose the appropriate country or region. 


GE 


Disabling Windows AutoPlay 


The Windows AutoPlay function allows a computer to automatically start applications on 
removable and attachable media. Once a device (CD, iOS device, Android device, etc.) is attached, 
a category populates under Devices. The user can select a default action for each individual 
device and category. The best practice is to minimize the chance of automatic processes 
launching. 


1. In the Windows search box, type AutoPlay. 

2. Click AutoPlay settings. 
The AutoPlay page of the Settings window appears. 

3. Toggle Off the setting to Use AutoPlay for all media and devices. 

4. Below Choose AutoPlay defaults, set both Removable drive and Memory card to Take no action 
or Ask me every time. 


Disabling AutoPlay creates a Registry key for the logged-in user at HKEY_USERS\<SID of Relevant 
User Account>\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers. 
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The created key is named DisableAutoplay with a DWORD (32-bit) value of 1. Therefore, you can 
manually configure the setting a Registry editor. 


y Edit l 
File Edit View Favorites Help 
Computer\HKEY_USERS\S-1-5-21-2628137359-3392807454-1507701342-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers 

E cop ^A || Name Type Data 
E Census (ab) (Default) REG_SZ (value not set) 
> E ClickNote W DisableAutoplay REG_DWORD 0x00000001 (1) 
> E CloudStore 
> E ContentDeliveryManager i ` S 
E Controls Folder (Wow64) Edit DWORD (32-bit) Value 
d ` Greng Value name: 
> IFxApp = 
SE Gate DisableAutoplay 
T Accent Value data: Base 
> | Advanced [i] @ Hexadecimal 
> E AppContract ObDecimal 
v  AutoplayHandlers 
> J EventHandlers mole 
Ci d 
> J EventHandlersDefaultSelection Ce" SS 
> | Handlers 
> | UserChosenExecuteHandlers v 
< > < > 
D . 
Disable Search Indexing 
1. In the Windows Search box, type Services. 
. g . e 
2. For Services, click Run as administrator. 
The Services window appears. 
Services o 
File Action View Help 
e» MEOR Hm > anp 
L} Services (Local) 
Windows Search Name Description Status Startup Type Loc * 
‘©, Windows Push Notifications... This servicer... Running Automatic Loc 
Description: E ? Si E A 
E; Windows Push Notifications... This service... Running Automatic Loc 
Provides content indexing, property ` 
caching, and search results for files, e- ‘Gh Windows PushTolnstall Servi.. Provides infr.. Manual (Trigg... Loc 
mail, and other content. ‘© Windows Remote Managem.. Windows Re... Manual Ne 
Windows Search Provides con.. Running Automatic (De.. Loc 
Ü} Windows Security Service Windows Se.. Running Manual Loc 
Ñ; Windows Time Maintains d. Manual (Trigg... Loc 
Üh Windows Update Enables the... Running Manual (Trigg... Loc 
E) Windows Update Medic Ser.. Enables rem... Manual Loc 
Ü; WinHTTP Web Proxy Auto. D. WinHTTPim.. Running Manual Loc 
E? Wired AutoConfig The Wired A... Manual Loc 
Ü; WLAN AutoConfig The WLANS.. Running Automatic Loc 
Ei) WMI Performance Adapter Provides per... Manual Loc 
Pi nork Caldane bie canica, Manual Lee 
< > 
Extended { Standard / 


3. Right-click the Startup Type value, click Properties, and then click Stop. 
A In the Startup type field, click Disabled and then click Apply. 


Windows Search Properties (Local Computer) x 
General Log On Recovery Dependencies 


Service name: WSearch 
Display name: Windows Search 


Description: [Provides content indexing, property caching, and 
search results for files, e-mail, and other content. 
| 


Path to executable: 
C:\Windows\system32\Searchindexer.exe /Embedding 


Start Stop Pause Resume 


You can specify the start parameters that apply when you start the service 
from here. 


[a] ze "mm 
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Endpoint Inspector 


Endpoint Inspector allows customers of Cellebrite Enterprise Services to create logical data 
collections from remote computers without shipping any hardware. 


Examiners install Inspector on their own computers, then access Endpoint Inspector within 
Inspector in either of these ways. 


e Examiners are logged in and granted their license for each session through the Endpoint 
server. 

e Examiners who have their own licensed Inspector device [dongle] or a software key do not log 
in through the Endpoint server. 


Within Inspector, examiners can connect to the Endpoint agents assigned to them to collect data 
from remote computers. CPU resources are consumed from both the examiner's computer and 
the remote computer, and in rare cases from the Endpoint server as well. Collection over a VPN 
is Supported. 


Once connected, examiners can collect and analyze data from the corresponding remote 
computers. Examiners can use these views for selecting data to collect. 


e Remote Browser view 
e Remote File Filter view 
e Remote Thumbnails view 


Examiners can also see the content of a selected file in the Hex, Strings, and Preview tabs. 


Examiners then can save the selected files into a collection file with the Logical Evidence File 
Format (L01). This format is widely supported by forensic and eDiscovery tools, and preserves 
file content, metadata, and folder structure. These L01 files can be immediately ingested into 
Inspector as evidence, where examiners can use robust analysis and reporting tools. 


This chapter provides these topics. 


e Access Endpoint Inspector 

e Connect to Endpoint Agents and Add Volumes 
e Selecting Files for Collection 

e See Content of a Selected File 

e Managing and Collecting Selected Files 

e Examining an Ingested Remote Collection File 
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Access Endpoint Inspector 


With Inspector installed on your computer, you can gain access to Endpoint Inspector by 
connecting to the Endpoint server. If you have a device (dongle) or a software key for Inspector, 
you can access Inspector through those means before you connect to Endpoint Inspector. For 
more information, see Access Inspector with a Key or Device. 


Your administrator must provide you with the information you need to type to connect to the 
Endpoint server. The connection information you provide is remembered by Inspector. When you 
later need to re-connect, you only need to type your password. 


1. On your computer, start Inspector. 
The Dongle Required dialog box appears. 
2. Click Endpoint. 
The Endpoint Server Connection dialog box appears. 


@ Endpoint Server Connection x 
Host Name or Address Port Number 
20001 
Username Password 
heidi 
Cancel 


3. Type the appropriate information in these fields, and then click Connect. 


e Host Name or Address 
e Username 

e Port Number 

e Password 


The Case Manager window appears. 


@ Inspector Case Manager = x 
File Edit Action Tags View Manage Window Help 


ye 


Se Cellebrite Pris woa" Inspector 10.3 


Case Creation Date Modified Date 


Bennet first.inspector 


©  C\Usersiheidi\cases\Bennet first inspector 


testtemplates.inspector postgres@127.0.0.1:20220 PE 4b2287d5a68974349db7— 2021-03-08 15:39:42 2021-03-08 15:48:10 
LET cUsersineidiicasesitesttemplates.inspector 


first.inspector postgres@12700_ 2021-03-03 152312 2021-03-08 15:51:39 
LET \users\heiai\Documents\1Product documentation\Inspectorfirstinspector\ 


Ié Tech Pubs.inspector postgres@_ 2021-03-05 15:57:41 2021-03-05 16:01:38 
el c:\Users\neidi\Documents\1Product documentation\inspector\Tech Pubs.inspector\ 


Second Inspector Case.inspector 2021-03-05 15:35:23 2021-03-05 15:3745 
el c:\Users\neidi\Documents\1Product documentation\Inspector\Second Inspector Case.inspector\ 


New... Open Other... Remove Cancel 
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4. Choose the appropriate action. 


Create a new case to house file collections for a new investigation. Click New. 


For more information, see Create a New Case. 


Open an existing case to add more file collections to it. 


See Open a Case. 


The Case Information window appears. 


m Ven Met See, pp 


Examiner information 


x = 


Case Time Zone Display 
Sne life 


2020001 3.222938-408rF 


5. Provide or edit the information necessary to identify the examiner and the case or update the 
synopsis. For more information, see Case Window. 
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Access Inspector with a Key or Device 


If you have a device [dongle] for Inspector, or if you have a software key, you can access 
Inspector through those means. If Inspector is installed on your computer, and if you have 
neither a device (dongle} nor software key for Inspector, you can request access to Inspector 
through the Endpoint server. For more information, see Access Endpoint Inspector. 


Your administrator must provide you with the information you need to type to connect to the 
Endpoint server. The connection information you provide is remembered by Inspector. When you 
later need to re-connect, you only need to type your password. 


1. Start Inspector. 
The Case Manager window appears. 


@ Inspector Case Manager - x 
File Edit Action Tags View Manage Window Help 


Pad 


Se Cellebrite Pritir woa" Inspector 10.3 


| Case Creation Date Modified Date 
Bennet first.inspector 


)  G\Users\hi es\Bennet first.inspector 


testtemplates.inspector postgres@127.0.0.1:20220 bbtbl_4b2287d5268974349db7_ 2021-03-08 15:39:42 2021-03-08 15:4810 
CA\Users\heidi\cases\testtemplates.inspector\ 


first.inspector postgres@12700_ 2021-03-03 152312 2021-03-08 15:51:39 
CA\Users\heidi\Documents\1Product documentation\Inspector\first.inspector\ 


Tech Pubs.inspector postgres@_ 2021-03-05 15:57:41 2021-03-05 16:01:38 
el c:\Users\neidi\Documents\1Product documentation\Inspector\Tech Pubs.inspector\ 


| Second Inspector Case.inspector 2021-03-05 153523 2021-03-05 153745 
C:\Users\heidi\Documents\1Product documentation\Inspector\Second Inspector Case.inspector\ 


New... Open Other... Remove Cancel 
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2. Choose the appropriate action. 


Action 
Create a new case to house file collections for a new investigation. Click New. 
Open an existing case to add more file collections to it. See Open a Case. 


The Case Information window appears. 


Case Time Zone Display 


2021001 3.222938-408rVOF 


3. Provide or edit the information necessary to identify the examiner and the case or update the 
synopsis. For more information, see Case Window. 

A Inthe menu bar, click Manage > Endpoint Login. 
The Endpoint Server Connection dialog box appears. 


@ Endpoint Server Connection x 

Host Name or Address Port Number 
20001 

Username Password 

heidi 
Cancel 

5. Type the appropriate information in these fields, and then click Connect. 
e Host Name or Address 


e Username 
Port Number 
Password 


oo et ! 
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Connect to Endpoint Agents and Add Volumes 


There are two tabs at the top of the Component list, Local and Remote. 


O Teh Pt peter 
Eie Eee Agen Topi Oio Ves ` Mergen Wade Help 


1. Onthe Remote tab, click Add next to Remote Collections. 
The Select Endpoint Volume window appears. This window shows a list of the Endpoint 
agents assigned to you that are powered on and connected to the network. If data in any 
column is too long to be seen completely, hover over that data element to see the full content 
in a tool tip. 
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2. Choose the appropriate action. 


Sort the list of Endpoint 
agents. 


Click any column header to sort the list in ascending or 
descending order. 


Filter the list of Endpoint 
agents. 


Type in any column header. 


Clear all the filters. 


Click X at the right side of the column labels. 


Refresh the list of Endpoint 
agents. 


Click Refresh Agents 


3. Select the appropriate agent. 


Volumes on the computer associated with the selected agent appear in the lower pane. If 


data in any column is too long to be seen completely, hover over that data element to see the 


full content in a tool tip. 


4. Select the appropriate volumes and then click Add Volume. 
The selected agent and volumes appear in the Component list on the Remote tab. 


2 Cellebrite 


@ Tech Pubs.inspector 


File Edit Action Tags Classificatic 


local Remote 


=] Remote Collections 
=) PT-ElIDemo503 ( Windows Server... 
DA 
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Selecting Files for Collection 


After you have connected to an Endpoint agent on a remote computer, you can choose the view 
to use when you select files. 


You can find and select files in these views. 


e Remote Browser View 
e Remote File Filter View 
e Remote Thumbnails View 


You may also see the contents of a selected file in the Hex, Strings, and Preview tabs. For more 
information, see See Content of a Selected File. 


Once selection is complete, you can create a collection file (L01) that may be immediately 
ingested into Inspector. For more information, see Managing and Collecting Selected Files. 


Remote Browser View 


In the Toolbar, click Remote Browser to see the tree of folders and files on the connected 
computer. 


O teh Pes mnperter 


Fie In Acton Tops Zeenen View Meup rg: Help 

G 

e 

Ven "Sec 

Ramete tegen = | OE bg 
Tree (Winton Serve || Mame 


w 


Brech 


Use normal procedures for your operating system to take these actions. 


e Sort by any column label. 

e Change the width of any column. 

e Navigate the file tree by opening and closing folders. 
e Select an item or several items. 


To see the full path of the last item selected, look at the status bar in the bottom of the 
window. 


iseepil. 0 kote 
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When you double-click any item, the navigation paradigm changes. The Remote Browser view no 
longer shows the file tree structure. Instead, the path bar at the top of the Remote Browser view 
shows the path of the current location in the file structure. You can click in any segment of the 
path bar to navigate directly to that folder. You can still open folders in the Remote Browser 
view. The arrows to the left of the segments function as historical navigation, not as a simple 
back and forward in hierarchy. They navigate either back to the previous location or forward to 
the most recent location. The full path of any selected item is still visible near the bottom of the 
window. 


[<] E Users heidi ` Documents 1Product documentation „4 Endpoint Inspector 
To add any selected item or items to the collection, click Action > Add to Collection. 
To remove any selected item or items from the collection, click Action > Remove from Collection. 
When your selections are complete, you can create the collection. 
For more information, see these topics: 


e Remote File Filter View 

e Remote Thumbnails View 

e See Content of a Selected File 

e Managing and Collecting Selected Files 


Remote File Filter View 


In the Toolbar, click Remote File Filter to filter files on the remote computer based on a single 
metadata item at a time. 


lect Tomes 
kamote Cotact D| Te - e ` conten S Lem wes 


deenen Path — Crested ` Wetton Miles ` Aecemed See Mote Mitten ekeg Det * 
D 


BE 


20210013. 22298-400 TALUD- Propera Mosh Window et Mams Paces ` Uarota nt 


1. Select the filter and then select the modifier. 


2. If necessary, type the appropriate value for the filter and its modifier to target. 
3. Click Filter. 
The results are listed on the Remote File Filter view. 
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Use normal procedures for your operating system to take these actions. 


e Sort by any column label. 
e Change the width of any column. 
e Select an item or several items to collect. 
To see the full path of the last item selected, look near the bottom of the window. 


To add any selected item or items to the collection, click Action > Add to Collection. 
To remove any selected item or items from the collection, click Action > Remove from Collection. 
When your selections are complete, you can create the collection. 


You can use these filters to find items to select for collection. 


e Path 

e Name 

e Created, Written, Modified, and Accessed 
e Size 

e Mode 

e Hidden 

e Locked 

e Deleted 

Path 


The Path filter has these modifier options. 


e contains (default) 
e does not contain 
e starts with 

e ends with 


e is 
e isnot 
Name 


The Name filter has these modifier options. 


e contains (default) 
e does not contain 
e starts with 

e ends with 

e is 

e isnot 


Created, Written, Modified, and Accessed 


The Created, Written, Modified, and Accessed filters let you filter files based on these dates. This 
filter has these modifier options. 


e is before (default) 
e is after 


You must type the date in this format: YYYY-MM-DD. 
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Size 


The Size filter lets you see files based on size attributes with any of these modifier options. 


e equals (default) e isnot 
e is less than e is<=to 
e is greater than e is>=to 


The unit of measure is bytes. For example, to see only files larger than 1 MB, select the is greater 
than modifier and then type 1000000. 


Mode 


The Mode filter represents a file's mode and permission bits. This is represented the same 
regardless of operating system. Not all bits apply to all systems, but the format follows the Unix 
standard permissions rwxrwxrwx (readable, writable, executable) for the first nine least 
significant. The most significant bit, the tenth, is the defined file mode bit. When the item is a 
directory, the tenth bit is required. Otherwise, it is optional. This list defines the possible values 
for the most significant defined file mode bit. 


Bit Name Symbol | Definition 

ModeDir d is a directory 

ModeAppend a append-only 

ModeExclusive 1 exclusive use 

ModeTemporary T temporary file (Plan 9 OS only) 

ModeSymlink L symbolic link 

ModeDevice D device file 

ModeNamedPipe p named pipe (FIFO) 

ModeSocket S Unix domain socket 

ModeSetuid u set uid 

ModeSetgid g set gid 

ModeCharDevice C Unix character device, when ModeDevice is set 
ModeSticky t sticky 

Modelrregular ? non-regular file; nothing else is known about this file 


The Mode filter has these modifier options. 


e contains (default) e ends with 
e does not contain e is 
e starts with e isnot 


For example, to find all files that are symbolic links, select the Mode filter and then the contains 
modifier option. Type L, and then click Filter. 
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Hidden 


The Hidden filter shows items hidden in the computer's operating system. This filter has these 
modifier options. 


e is Yes (default) 
e isnot Yes 


Locked 
The Locked filter has these modifier options. 


e is Yes (default) 
e isnot Yes 


Locked files are write-protected (read-only). A standard user can open these files and perhaps 
copy them to a different location. However, a locked file cannot (under normal circumstances) be 
modified, renamed, or deleted. 


Deleted 


The Deleted filter shows files that were deleted from NTFS file systems. This includes files that 
were emptied from the recycle bin. This filter has these options. 


e is Yes (default) 
e isnot Yes 


For more information, see these topics: 


e Remote Browser View 

e Remote Thumbnails View 

e See Content of a Selected File 

e Managing and Collecting Selected Files 
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Remote Thumbnails View 


In the Toolbar, click Remote Thumbnails to see thumbnails of image files. These file types are 
Supported. 


e png e tiff 
e jpg/jpeg e bmp 
e gif 


O Teh Ampato 


Ele p Am Tags Csat Ven Manage Window Hep 


Use normal operating system procedures for your computer to select files to be collected. 
Selected files are surrounded by a yellow box. 


© Tech Pubsinspector 


File Edit Ac js Classifications View Manage Window Help 


img0_21603840jpg img0_2560x1600jpg  img0_3840x2160jpg  img0_768x1024jpg img0_768x1366jpg imgt00jpg 


SN 


img103.png img104jpg Img105jpg img po ege Img2jpg 


"Ea bM-: ` 


x  Smieg [Preview 


E Remote Col 


E PT-£1Demo503 ( Wine 
DA 


FF D8 FF DB/00 84 00 02/02 02 02 02/02 02 02 02/02 03 02 02/02 03 04 03 02 02 03 04/05 04 04 04 
Field Value 


Big) 0% 0% 05 06/05 Os 05 05/05 05 06 06/07 07 08 07/07 Os OD O9/aA GA 09 ga óc aC EE 
0040:| OC OC OC OC OC OC OC 01/03 03 03 OS 04 OS 09 06 06 09 OD OA 09 OA OD OF OE OE OF moo 0c 0C 
OC OC OC OF OF OC OC OC|OC OC OC OF OC OC OC OC|OC OC OC OC 0C OC OC OC OC OC OC OC|0C 0C OC 0C 
EE Dee EE 
o 1 01 02 11|01 FF C4 00 BD 0 o0 

os 09/01 01 01 01/01 0 


Device WAWolume(@cB56 Be 


0001 


To add any selected item or items to the collection, click Action > Add to Collection. 
To remove any selected item or items from the collection, click Action > Remove from Collection. 
When your selection is complete, you can create the collection. 


For more information, see these topics: 


e Remote Browser View e See Content of a Selected File 
e Remote File Filter View e Managing and Collecting Selected Files 
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See Content of a Selected File 


In all the views (Remote Browser, Remote File Filter, Remote Thumbnails], these tabs show the 
content of a selected file. 


e Hex Tab 


e Strings Tab 
e Preview Tab 


Hex Tab 


To see the content of the selected file in hexadecimal and ASCII characters, click Hex. 


Hex Strings Preview 


44 46 


oD 


endobj. ne 
..21.0.0bj .< 


Strings Tab 


To see the content of the selected file in ASCII printable strings of three (3) characters or more, 
click Strings. 


Hex Strings Preview 


Author: ^ 
CreationDate: 2021/03/18 14:01:57 +02'00' 

ModDate: 2021/03/18 09:00:15-04'00' 

Producer: madbuild 

Title: Installation and Administration Guide 

xmp:xmp:ModifyDate: 2021-03-18T09:00:15-04:00 

xmp:xmp:CreateDate: 2021-03-18T14:01:57+02:00 
xmp:xmp:MetadataDate: 2021-03-18T09:00:15-04:00 

xmp:dc:format: application/pdf 

xmp:dc:title: Installation and Administration Guide 

xmp:dc:creator: 

xmp:xmpMM:DocumentID: wuid:db5854df-2fe5-4828-af63-593ceb94b53d 
xmp:xmpMMiInstancelD: uuid:c441 1a08-3f7b-4b11-9b02-9a615992f16e D 


Preview Tab 


To see the content of the selected file as it would appear in its native application, click Preview. 


Hex Strings Preview 


Installation and Administration Guide 


Cellebrite 


ENDPOINT 


If you resize the tab region for image file types, the image in the Preview tab scales to fit the 
viewing area. 


Depending on the type of file, various controls may be available on the Preview tab. These 
controls let you navigate within some file types and play some audio and video file types. 
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Managing and Collecting Selected Files 


To see all files selected for remote collection, click Remote Collection. 


Zant Yo Cove het Cotecton 


2021091 30910 Agmmgt 


In the Remote Collection view, you can review the selected files before you start collecting them. 
You may remove files or open the other views to add more files. Saving the collected files creates 
a file in Logical Evidence File Format (L01) format. This format preserves file content, metadata, 
and the folder structure of all the files you select. The process of saving the collected files into 
an L01 file may take some time to complete. 


Choose any of these actions. 


Remove a file from the Click Action > Remove From Collection. 

collection 

Ingest the L01 file into Mark the checkbox labeled Add to Case and then create the 
Inspector immediately as LO1 collection file. 

evidence for the case that is If you do not mark this checkbox, the L01 file can be created 
currently open but it is not immediately ingested into Inspector. Inspector 


can Ingest the file later or you can use other eDiscovery 
tools to examine the L01 file. 


Create the LO1 collection file. 1. Click Start Collection. 


2. Specify the filename and destination where the 
collection L01 file will be saved. 


When the L01 collection file is complete, if you had marked the Add to Case checkbox, you can 
see the L01 file within inspector as ingested evidence. For more information, see Examining an 
Ingested Remote Collection File. 
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Examining an Ingested Remote Collection File 


When you save a remote collection with the Add to Case checkbox marked on the Remote 
Collection view, you can see the L01 file within Inspector as ingested evidence. At the top of the 
Component list, click Local. 


DN Teh Pepe rapesitine 
Fis Hen Augen lap Cree Waa ` Lan. Bib Hee 
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You can choose the processing options to use when parsing the ingested L01 collection file. For 
more information, see Adding Evidence to a Case. 


Refer to the remainder of this user guide to see how to use all the features of Inspector to 
examine and tag ingested evidence files and much more. 


112 


March 2022 Cellebrite Inspector User Guide 


Managing Case Evidence 


This chapter provides these topics about managing case evidence. 


e Create a New Case 

e Opena Case 

e Adding Evidence to a Case 

e Remove Evidence From a Case 

e Move a Case File to a Different Computer 
e Relocating a Disk Image 

e Exporting Mobile Device Evidence 

e Hashing and Verifying Forensic Evidence 
e Advanced Evidence Recovery 


e File Entropy 


Create a New Case 


Launch Cellebrite Inspector, or if Inspector is already running, click Window > Cases Window. The 
Inspector Case Manager window appears. 


@ Inspector Case Manager — x 


File Edit Action Tags View Manage Window Help 
SCH A Digital intelli 
d igital intelligence 
eee Cellebrite Vatter? Inspector 10.3 


Case Creation Date Modified Date 


© 


Bennet first.inspector = 
Con 


ases\Bennet first.inspector 


testtemplates.inspector postgres@ 127.0.0.1- stbl 4b2287d5a68974349db7 2021-03-08 1539:42 2021-03-08 15:4810 
C:\Users\heidi\cases\testtemplates.inspector\ 


first.inspector postgres@12700_ 2021-03-03 1523:12 2021-03-08 155139 
C\Users\heidi\Documents\1Product documentation\Inspectonñfirst.inspector\ 


f Tech Pubs.inspector postgres@_ 2021-03-05 15:57:41 2021-03-05 16:01:38 
Wl c.\users\neidi\Documents\1Product documentation\inspector\Tech Pubs.inspector\ 
Second Inspector Case.inspector 2021-03-05 153523 2021-03-05 153745 
Wl c:\users\neidi\Documents\1Product documentation\inspector\Second Inspector Case.inspector 
New... Open Other... Remove Cancel C opn č ] 


To create a new case, click New. In the Save dialog box, navigate to the location where case files 
are saved, and then click Save to save the new case and begin working with Inspector. 


On Windows computers, an Inspector case can be mapped to a volume letter of your choice, thus 
avoiding the file path character limit of Windows. Inspector defaults to the next available drive 
letter, but you can choose the drive you prefer. To access this feature on a Windows computer, 
click Manage > Drive Mappings. After you map the case to a drive letter, close the case and then 
open the Case Manager window. Click Open Other and locate the case you just mapped. 


When you open a case file, the Case Info view appears. You can provide information about the 
examiner and the case here. You can change or add to this information any time during an 
examination. 


The Examiner Information fields retain the information you provide; you don't need to provide 
this information each time you create a case. 
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Because each case is unique, you must provide the case number, case name, and synopsis for 
each case in the Case Information fields. 


Case Information 


Number [B1 


Name: | Bennet first 


Synopsis [This isthe synopsis 


Case Time Zone Display 


TimeZone: [UTC S| Example: 2021-03-09 0402:46 (UTC) @ 


[20210304.231045-5abde03 


Inspector detects if it has not been updated recently and notifies you when an update is available, 
with links that provide access to necessary updates. 


Inspector Time Zone Settings 


In the bottom left corner of the Case Info window, you may select a time zone in the Time Zone 
field. This determines the time zone used by evidence timestamps in the Case Window and in the 
examiner report. 


By default, Inspector displays timestamps as Coordinated Universal Time [UTC]. Dates and times 
are displayed with the selected time zone appearing in parentheses, for example: 2009-12-19 
19:34:51 [PST]. Inspector makes automatic adjustments for daylight savings time shifts for 
different parts of the world. You don't need to make any manual changes. 


After case information is complete, you can begin adding evidence to the case file. 
On a Mac computer, an Inspector case file is actually a package file. 
On a Windows computer, an Inspector case is a folder. 


All case elements are stored in this folder or package file, so a case file can grow rather large 
depending on how big a case is. Before you create a new case, make sure there is plenty of 
storage space on the working hard drive. 
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Open a Case 


Launch Cellebrite Inspector, or if Inspector is already running, click Window > Cases Window. The 
Inspector Case Manager window appears. 


@ Inspector Case Manager - x 
File Edit Action Tags View Manage Window Help 

erch Digital intelli 

ee H jigital intelligence 

se Cellebrite 22s. Inspector 10.3 


Case Creation Date Modified Date 
© 


fa kee? „inspect 
C\Users\heidi\cases) 


first.inspector postgres@12700_ 2021-03-03 1523:12 2021-03-08 155139 
CA\Users\heidi\Documents\1 Product documentation\Inspectorfirst.inspector\ 


Bennet first.inspector 
C\Usi Bennet 


postgres@127.0.0.1:20220 bbtbl.4b2287dSa68974349db7_ 2021-03-08 15:39:42 2021-03-08 15:4810 
A 


Tech Pubs.inspector postgres@_ 2021-03-05 15:57:41 2021-03-05 160138 
Wl .\users\neidi\Documents\1Product documentation\inspector\Tech Pubs.inspector\ 

Second Inspector Case. 
CA\Users\heid 


„inspector 2021-03-05 153523 2021-03-05 153745 
i\Documents\1Product documentation\Inspector\Second Inspector Case.inspector\ 


(=) 


New... Open Other... Remove Cancel 


The Inspector Case Manager window shows a list of recently opened cases. To open a case file, 
select the case and click Open. To reopen a case after it has been removed from the recent case 
list, click Open Other, navigate to the case file, and then click Open. You can open a case located 
anywhere in the file system. 


On Windows computers, double-click the case file in File Manager. 


On Mac computers, double-click the case file in Finder. You can also drag a case file from Finder 
onto the Inspector Case Manager window to add it to the recent case list. 


If the case list becomes too long, you can remove items from the list. Open the context menu 
from a case, and then click Delete from recent item list. You can also select a case and press 
DELETE. This removes the case from the list but does not delete the case file itself. To see the 


location of a case file in the file system, open the context menu from the case, and then click 
Reveal on Disk. 


Update a Case to Work in a Newer Version of Inspector 


If you open a case that was created using a version of Inspector that is older than the version 
currently running on your computer, this message appears: The case document is out of 
date. Would you like to update the document now? Click Update to update the case 
file. You can click Cancel to continue working with the case file without updating it, but this is not 
recommended. 


Case files created in older versions of Inspector sometimes cannot be updated to the newest 
version. 
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Updating a case file does not automatically run any processing or analysis. To take advantage of 
new or enhanced processing or features, you must re-examine case data. 


1. Archive the case file in the older version of Inspector. 
2. Import the archived case into the newer version of Inspector. 
3. Reprocess the evidence in the newer version of Inspector. 
This ensures that all functions and features of the newer version of Inspector are used to 


analyze the data. 


Adding Evidence to a Case 


These types of evidence can be ingested into a case in Cellebrite Inspector. 


Evidence Types Description 


Attached Drives 


Disk Image 


An attached drive can be imaged and ingested. Attached drives must be 
write-blocked either with software- or hardware-based write blockers. 


A forensic image. Inspector supports dd, dmg, sparse images/bundles, 
vmdk, E01, Ex01, L01, AFF4, and SMART image formats. Use this option 
to add iOS images created by Cellebrite, ElcomSoft, iXAM, JZ, and MPE+. 


Selected Image 
File 


A selected image file or virtual machine file is an evidence item in the 
Component list [available only when an image file or VM file is selected). 


Unencrypted or 
Encrypted iOS Disk 
Image 


An unencrypted iOS disk image or a forensically acquired third-party iOS 
disk image with proprietary encryption enabled (for example, Cellebrite, 
Lantern Lite, etc.). 


iOS Backup 


An iOS device [such as iPhone or iPad} backup folder. 


Memory (Dump, 
Image, File] 


A Windows memory [RAM] file. Inspector supports raw, hiberfil.sys 
(Hibernation file from Windows Vista through Windows 10 v1703), 
pagefile.sys, and crash dumps (full, from Windows Vista or Windows 7). 


USB Attached 
Mobile Device 


Other Attached 
Device 


A mounted iOS device (iPod, iPhone or iPad], or Android device. 


A mounted device such as a .dmg image, Time Machine, an external 
FireWire or USB drive, or a mounted .E01 file ([EWMounter). 


Mobilyze Case 


A case from Mobilyze, Cellebrite’s mobile device triage tool. 


Folder 


A folder and the folder’s contents. 


File 


An individual non-disk image file. 


Berla Inspector Iva 
Database 


A database exported from Berla iVe Desktop using the Cellebrite export 
option. 


iCloud Production 
Files from Apple 


iCloud zip archives extracted from encrypted GPG files containing iCloud 
device backups within. These files can be obtained from Apple with a 
valid search warrant. 
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Files from UFED or | When a folder contains a .ufd file and an appropriate collection from 
Physical Analyzer UFED or Physical Analyzer, you can select .ufd files (not .ufdx files}. The 
in .ufd format corresponding compressed evidence files are automatically selected 
and ingested. The collection must be in its original unaltered folder 
structure. If you prefer, you can manually select compressed files 
instead, such as .tar, .zip, and .dar. 


Adding Disk Images and External Files 


You can add disk image files, folders, IOS backups, and other external files by dragging and 


dropping them from the source (Finder, external device, etc.) onto the Evidence section of the 


Component list. Inspector imports these image formats. 


Disk Image Formats 


Formats 


Creation Program 


RAW Image (DD) 


Most Forensic Programs 


Disk Image [DMG] 


EnCase (EWF-E01), (EWF-LO1), (EWF2-EX01) 
SMART (EWF-S01) 


Digital Collector, Converted DD 
images 


EnCase [all versions), FTK Imager 


ASR Smart 


Virtual Machine Disks [VMDk] including for Windows 
10 


VMware 


Advanced Forensic File Format (AFF4] 


Digital Collector 


iOS Image Formats 


Cellebrite UFED PA [1.1.7.8 and higher} Physical Cellebrite 
Images 

Premium CAIS extractions (.dar format} Cellebrite 
Cellebrite Logical Images created via Method 1 [iOS Cellebrite 
backup archive} 

Cellebrite Logical Images created via Method 2 Cellebrite 
(logical filesystem dump) 

GrayKey Grayshift 
iOS Forensic Toolkit (1.04 and higher} ElcomSoft 
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Formats Vendor 


iPhone-Dataprotect / Lantern Lite http://code.google.com / Katana 
Forensics 

JZ (all versions) Jonathan Zdziarski Tools 

iXAM [2.3.9 and higher] Forensic Telecommunications 
Services 

MPE+ (4.0 and higher} Physical Images AccessData 


Ingesting Backups from Within Images 


Inspector can directly ingest device backups from within images. It is not necessary to export 
and ingest them separately. This improves efficiency and results in smaller case file sizes. These 
file types may be ingested in this way. 


e EU) e some specific .dmg types 
e iPhone backups e zip 
e plain files and directories e tar 


e raw disk images 


If .zip or .tar files are imported and Process Archives is selected, they appear as an evidence 
source with all the contents of the archive in the file browser for that evidence source. 


Processing During Acquisition 


Inspector allows multi-core processing during device acquisition to speed up parsing, paths, file 
types, picture, video and metadata processing. You can change this setting on the Options tab in 
the Preferences window. For more information, see Inspector Preferences or Options. 


Both types of acquisitions must be authenticated [hashed] to confirm the copy is identical to the 
original. 


A forensic image [.dmg) is identical to the disk or device from which it was acquired and includes 
allocated, unallocated, and free space. It is a bit-by-bit representation of the entire physical drive 
or device. A.dmg disk image acts like a hard drive, but it is actually a single file. It can be resized 
using an application such as Apple s Disk Utility application. 


A sparse image [.sparseimage] is also a single file, but it becomes larger as additional data is 
added to it. A sparse image is a logical representation of the logical data copied to it. 


A sparse bundle is a bundle [like a folder] that contains several individual files. A sparse bundle 
is also a logical representation of the logical data that has been copied to it. 
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Supported File Systems 


Inspector's filesystem parsers include parsers for the Apple File System (APFS), HFS+/HFSX 
filesystem, FAT filesystems (FAT12/FAT16/FAT32), and NTFS filesystem. Inspector allows 
ingestion and parsing of other filesystems; however, support is currently experimental as they 
have not been fully tested within Inspector. 


These are the experimental filesystem parsers. 


e exFAT 

e EXT2 

es EXTS 

e EXT4 

e UFS 

e YAFFS2 
e ISO 9660 


Add Evidence Items 


You can add evidence files to a case in Inspector from the Component list either by dragging and 
dropping or from the File menu. 


e Click File > Add Evidence. 
e Inthe Evidence section of the Component list, click Add. 


The Add Evidence window appears with all appropriate options for data ingestion. Inspector 
automatically scans for attached or mounted live devices, including attached and unlocked 
mobile devices, for display in the upper left under Attached/Mounted Devices. Attached disks or 
volumes are hidden by default, but you can see or hide them by clicking Show or Hide. Below that 
are any files, folders, memory images, and disk images that are potentially being added to the 
case. (Each item has a checkbox that can be marked or unmarked. The item will only be included 
in the ingestion process if the item's checkbox is marked.) To remove an item from this list, open 
Inspector's context menu from the item and click Remove. To add an item to the list, click Add, 
then choose the appropriate disk image, folder, or file. 


It is possible to add multiple items to a case at the same time. Select each item for processing 
and choose the appropriate ingestion options. 
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Click Refresh at the bottom of the window, and Inspector once again scans for attached or 
mounted live devices, including attached and unlocked mobile devices, and displays them in the 
upper left. 


Add Evidence 


pteched (Mounted Dams Leen  semnett-computer-200520.£01 (EWFimage) Processing Options: 
Evidence ID: | Bennett-Computer-200520.E01 - 001 Æ Bennett-Computer-200520.601 (EWFimage) 
OPreview @ Triage O Comprehensive 


512 Bytes 


By Primary GPT Header 
512 Bytes 


O  mProtective mar 
= Extract Date 
DU 
[Z DB Recovery 
Primary GPT Table 
16.0 KB File Signature Analysis 
 Unaliccated [Picture Analysis 
30KB 


EFI System Partition (FAT32) [Video Analysis 
ous [ Process archives 
Racer - Data (APFS) 
317 GB 


[ Process OCR Image Text 
eer - Data (APFS) [E] Calculate Hashes 


a Snapshots: Ra F 
[0 Selected, 4 Unselected, 0 Processed] 


Preboot (APFS) Identify Known Files A 

= 27.1 MB 

[file carving 

B Recovery (APFS) z 

== 500.7 MB [File System Journal Analysis 
BN we [O Spotlight Parsing 
Racer (APFS) [OS Event / Security Logs 
Ee C Smart Indexing 


rch (Bulk extraction) 


H 

Unallocated (APFS) 
"BA 
a Basic data partition (NTFS) 


52.4 GB 


VSCs: Basic data partition (NTFS) 
E 
[0 Selected, 2 Unselected, 0 Processed] 


Unallocated = 
No Template 
E Bio jo Templates 


Refresh Remove 1of1 selected Cancel Start 


When an item is selected in the left pane, all its partitions appear in the middle pane. Partitions 
with recognized file systems appear with checkboxes marked by default, while partitions with 
unrecognized file systems do not have marked checkboxes. APFS Snapshots and Windows 
Volume Shadow Copies (VSCs} also appear in the middle pane and can be expanded. Below each 
Snapshot and VSC entry is a label indicating the number of Snapshots or VSCs that are Selected, 
Unselected, and Processed. By default, none of the Snapshots and VSCs are selected for 
processing. Like all other listed volumes, you can set different processing options for each 
individual Snapshot and VSC. Remember that processing all Snapshots and VSCs takes time, but 
they do not have to be ingested during initial evidence processing. 


If you mark the checkbox for a partition with an unrecognized file system, Carve Unallocated then 
becomes an available option for that partition. 


Any partition with a recognized file system may also be imported as unallocated. Open 
Inspector's context menu from the partition and click Import Partition as Unallocated. The Carve 
Unallocated option becomes available for that partition. 


You can also import attached disks in the left pane as unallocated in the same fashion. Open 
Inspector's context menu from the item and click Import as Unallocated. 


Note: If the item is a partition with a recognized file system that is currently set to be added to 
the case as unallocated, Import Partition Normally becomes available in the context menu. 


If you click Add and select a memory file to add to a case, Inspector usually recognizes it as a 
memory file. However, some memory files are so complex that Inspector cannot instantly 
determine whether they are memory images. If Inspector is unable to verify a memory file within 
10 seconds, the item is displayed as a plain file. You may override this interpretation and tell 
Inspector to ingest the item as a memory file. Open Inspector's context menu from the item and 
click Memory (Dump, Image, File). 
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Passware is integrated into Inspector. Images with these types of full disk encryption can be 


decrypted with the proper decryption credentials. 


e BitLocker 
e FileVault 2 


e LUKS {Linux Unified Key Setup) 


e TrueCrypt 
e VeraCrypt 


Cellebrite Inspector User Guide 


When an image file using one of these encryption types is added to Inspector, it is identified as a 


locked partition. 


d Cellebrite 


Add Evidence 
Vi E BBSFSLO01_withBitlocker.E01 (EWFimage) 


EE Evidence ID: BBSFSLOO1withBitlocker.£01 - 001 


Files / Folders / Disk Images Re 


= E BBSFSLOO1_withBitlocker.E01 ao 


rimar, y GPT Header 
12 Bytes 


Pr 
D 

fm Primary GPT Table 
16.0 KB 

J Lralocated 
1007.0 KB 


[A Microsoft reserved partition 
16.0 MB 


Basic data partition (Encrypted) 
= 232.4 GB 
fg Unallocated 
280.0 KB 
e NTFS 
D Langue 


py Urallgcated 
12MB 


Refresh Remove 1of1 selected 


Processing Options: 
E B8sFSL001 AEN ET (EWFimage) 


Preview O Teo (CÙ Comprenensive 


File Signature Analysis 
Picture Analysis 
Video Analysis 
Process Archives 
Process OCR Image Text 
E caiculate Hashes 
Identify Known Files 
File Carving 
File System Journal Analysis 
Spotlight Parsing 
OS Event / Security Logs 
Smart Indexing 
Content Search (Bulk extraction) 
Mail Parsing 


Activity Correlation 


Hiberfil.sys / Pagefile.sys 


Calculate File Entropy 


Manage Passwords... 


Cancel 
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When a locked volume is selected, the Volume Encryption Password Needed dialog box appears. 


e BitLocker requires either the password or recovery key for decryption. 

e =FileVault 2 requires a user login password. 

e LUKS requires the password or recovery key. 

e For TrueCrypt and VeraCrypt volumes, select the encryption type and then type the 
password. A VeraCrypt volume may also require the optional PIM [personal iterations 
multiplier). VeraCrypt may take several minutes to validate the password. 


Volume Encryption Password Needed 


BBSFSLO01_withBitlocker.E01 


Specify encryption type and password for unlocking the encrypted volume. 


If the volume is not encrypted, select the "Not Encrypted" type. 


© 


Type: Encrypted 


Password: | 


Once the volume is unlocked, choose the processing options. The decrypted data appears in 
Inspector. 


When an item in the left pane is selected, the middle pane shows the Evidence ID field where you 
can edit the evidence ID for the item. 


You can also perform these tasks from the Add Evidence window. 


e Recover a deleted or missing partition. 
e Specify disk sector size for a disk or partition. 
e Create an .iso disk image file from a partition. 


For more information, see Advanced Evidence Recovery. 


The Add Evidence window has these quick processing options for ingestion. 


e Preview deselects all options. 

e Triage lets Inspector automatically select only some of the options. These depend on the type 
of items selected. 

e Comprehensive selects all options. 
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You can also manually select processing options for ingesting each item, volume, Snapshot, or 
VSC so that each piece of evidence is processed in only the manner you choose. 


Processing Options: 
Lë Racer (APFS) 
OPreview © Triage O Comprehensive 


[M] Extract Data 


M] DB Recovery 


| File Signature Analysis 


m| Picture Analysis 


m| Video Analysis 


M] Process Archives 


lV] Process OCR Image Text 


[E] Calculate Hashes 
Identify Known Files A 


File Carving 


File System Journal Analysis 


M] Spotlight Parsing 


OS Event / Security Logs 


Smart Indexing 


Content Search (Bulk extraction) 


L_] Mail Parsing 


Activity Correlation 


iCloud Backups 


| Hiberfil.sys / Pagefile.sys 


@ Quick Scan O Deep Scan 


Manage Passwords... 


No Templates 


If an item is selected in the left pane while you change ingestion options in the right pane, those 
options apply to all partitions in the middle pane. However, selecting a partition in the middle 
pane allows you to change ingestion options for only that partition. 


A black checkbox indicates an indeterminate value, meaning that some but not all of the sub- 
options for that selection are chosen. For example, if you mark the Calculate Hashes checkbox, 
you see a checkmark. However, when you select the corresponding ellipsis button and mark only 
the MD5 sub-option, the Calculate Hashes checkbox becomes black to indicate an indeterminate 
value. The same concept applies to the left pane of the Add Evidence window. If only some 
partitions for an evidence item are selected for import, the left content pane will show an 
indeterminate value for the item rather than a checkmark. 


You can select custom processing options for a specific attached device and have them 
remembered. This lets you close the case and open it later in the Add Evidence window without 
having to select processing options again. You can change this setting on the Options tab in the 
Preferences window. For more information, see Inspector Preferences or Options. 


You may also use saved ingestion option templates. Choose the appropriate template in the 
Saved Templates field in the lower right of the Add Evidence window, and the ingestion options 
immediately update to reflect the saved template settings. For more information, see File Menu. 
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Image and Ingest an Attached Drive 


Inspector can acquire full disk or logical images of attached drives. These attached drives must 
be write-blocked with either software- or hardware-based write blockers. With the drive 
connected, click Action > Disk Imaging. 


@ Image Device x 


| Image Type: 
E01 (Best Compression) ~| Eve Can SHA256 


L OS (NTFS) (1.8 TB) 
a E Disk 


em Local Disk í 


Segment Size: 


No Segments x 


Destination(s): 
i 


+ 


[Z] Automatically Add to Case File (Triage Mode) 


Examiner Name 


Case Number 


Evidence Number 


Description 


Notes: 


Refresh Exit Start 


The Image Device dialog box shows only the options appropriate for the selected image type. To 
save time when triaging, leave the Automatically Add to Case File (Triage Mode) checkbox marked 
to ingest immediately after imaging. You can see information about ingestion and processing 
when you select Export / Imaging Status under Activity in the Component list. 


Adding a Disk Image 


The process for adding a disk image is begun the same way as for adding any form of evidence to 
an Inspector case. For more information, see Adding Evidence to a Case. Additional information 
about ingestion/processing options appears below. 


In the Ingestion Options section of the Add Evidence window, mark the checkbox for the 
appropriate options. 


Options | Description 


Extract Data Inspector's internal processes for populating data in the Actionable Intel, 
Communication, Locations, Internet, Productivity, and System tabs. 


DB Recovery Recovers deleted entries from databases 

File Signature Compare file headers to file extensions to see if they match [populates 
Analysis Content Extension field) 

Picture Analysis Identify pictures using signature analysis, options include running Image 


Analyzer against pictures identified for selected threat categories 


Video Analysis Parse videos and split them into sixteen frame sequences [4 x 4] to allow 
Inspector gallery view and % skin tone analysis, options include running 
Image Analyzer against the sixteen frame sequences created for each 
video identified for selected threat categories 
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Options | Description 


Process Archives 


All archive files (zip, gz, 7z, tar, and rar) are expanded down to two levels 
of nested archives. 


If you run this process while ingesting a disk image, certain types of 
device backups within the image are directly and immediately ingested. 
These backup file types may be ingested: 


e EU) 

e iPhone backups 

e plain files and directories 
e raw disk images 

e some specific .dmg types 
e zip 

e tar 


Ingested .zip and .tar files appear as an evidence source with all the 
contents of the archive in the file browser for that evidence source. 


Process OCR 
Image Text 


Process image [picture] files to extract text. Optical character recognition 
[OCR] converts text detected in the image into plain text which can be 
indexed and then searched. This process can be slow and is limited to 
these image types. 


e pdf 
e tiff 
e bmp 
e png 
e jpg 
e gif 


Calculate Hashes 


Hash all files using MD5, SHA-1 and SHA-256 algorithms 


Identify Known 
Files 


Identify known file types using Known File Hash (KFH) databases 


File Carving* 


Recover or attempt to recover deleted files based on defined File 
Signatures 


File System 
Journal Analysis 


Process $USNJRL and $LogFile files in Windows and macOS .fsevents 
(results are displayed in the System tab in the System Logs sub-view] 


Spotlight Parsing 


OS Event / 
Security Logs 


macOS Spotlight extended attribute data parsing 


Windows EVT/EVTX analysis, macOS ASL logs, and macOS Unified Logs 
(results are displayed in the System tab in the System Logs sub-view] 


Smart Indexing 


Create a Smart Index of processed allocated data 


Content Search 
(Bulk Extraction] 


Runs built-in searches against memory files 
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Options | Description 


Mail Parsing 


Processes Apple Mail, Outlook mail files 


Activity 
Correlation 


Identifies correlated events done by the system, by a user, or by device. 


iCloud Backups** 


Processes iOS device backups from decrypted iCloud Production files 
(obtained via search warrants from Apple] 


Hiberfil.sys / 
Pagefile.sys 


Processes Windows memory hibernation file and pagefile. If hiberfil.sys 
and pagefile.sys files are located, Inspector processes them as separate 
Evidence items within the Component list. 


Calculate File 
Entropy 


Manage 


Passwords*** 


Determines possible encryption level of files 


Enter a password, list of passwords, or import a file containing 
passwords (UTF-8 encoded, one per line], to unlock and parse Apple 
keychains on macOS or iOS devices 


*This option will be seen as Carve Unallocated if importing an item as unallocated. 


** This option is only available when ingesting data from iCloud production files. For more 
information, see Adding iCloud Productions. 


***Inspector will only attempt to unlock Apple keychains with the passwords entered during 
initial evidence ingestion. For more information, see Actionable Intel View. 


These ingestion options have corresponding ellipsis buttons providing additional options. 


e Extract Data: the Manage Data Extraction window lists all items that are normalized 

e Picture Analysis: the Media Analysis window provides options for standard picture 
processing and image classification categories provided by Image Analyzer 

e Video Analysis: the Media Analysis window provides options for standard video processing 
and image classification categories provided by Image Analyzer 

e Calculate Hash: the Hash Types window lists the three hash algorithms available in 
Inspector for file hashing [MD5, SHA1, and SHA256) 

e Identify Known Files: the Hash Sets window allows the examiner to choose which hash sets 
Inspector should user to identify known and notable file types 

e File Carving: the File Signature Management window shows the defined file signatures used 


for file carving 
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Extract Data refers to the internal Inspector processes used to generate the data displayed in 
the Actionable Intel, Communication, Locations, Internet, Productivity, and System tabs, with the 
exception of Windows registry files in the System tab. Registry files are parsed with filesystem 
parsing. Examiners can choose to limit which data extraction processes are run by deselecting 
options in the Manage Data Extraction window, focusing on the data pertinent to the 
examination. In the bottom left corner of the Manage Data Extraction window, click Uncheck All. 
Then select only the desired processes and click OK. 


LI Manage Data Extraction 


Actionable Intel 
Applications 
Attached Devices 
Berla 

Calendar 
Cleanup 
Contacts 
Device Info 
Facebook 
FireChat 
Foursquare 
Google Maps 
iChat 
Instagram 
Internet Logs 
Jump Lists 

Kik 

Line 

LinkedIn 
Location Details 
Location Services 
Maps 

Media 

Memory 

Notes 

OoVoo 

Phone Calls 
Recents 
Shared File List 
Skype 

SMS 

System Dictionary 
Tango 

Textfree 
TextPlus 

Top Contacts 
Tumblr 

Twitter 

UFED Android 
VK 

Voice Memos 
Voicemails 
WeChat 
WhatsApp 

Wifi 

Windows LNK 


ssescssssssssessessssessssssssssasssssssssssssssss 


Uncheck All Cancel o | 


Standard Picture and Video processing populates the Media tab. The Image Analyzer 
classification categories include: Alcohol, Chat, Child Sexual Abuse Material (CSAM], Currency, 
ID/CreditCards, Document, Drugs, Extremism, Gambling, Gore, Porn, Swim/Underwear, 
Vehicles, and Weapons. Examiners can choose to run any or all of these categories against 
pictures and videos. Classification of videos is determined using the Inspector-generated 16 
image [4 x 4) mosaic containing still frames from the video. By default, Inspector runs only 
standard picture and video processing. For additional image categorization, click on the ellipse 
button. On the lower left side of the Media Analysis window, click Check All to classify with all 
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available classification categories. Otherwise, select only the desired categories. Click OK once 
the desired options are selected. 


@ Media Analysis = o 
A 
C] Vehicles 
Chat 
ID/CreditCards 
TT Document 
CT Currency 
CSAM 
TT Alcohol 
TT Drugs 
Extremism 
[L] Gambling 
| ICO Gore 
| H rom Gë S 
Check All Cancel 


To help identify known files, Inspector ships with the Known OS X System Files, Known Windows 
System Files, and the Hashkeeper hash sets. Additionally, Inspector recognizes Encase (6.19 and 
lower), NSRL (full), and Inspector [.blhs] hash set formats. Inspector also imports hash sets 
saved as text files as long as the file contains one hash value per line with each line separated by 
a carriage return. Hash sets can be created from files in a case using any or all of the available 
hash types (MD5, SHA-1, SHA-256]. Custom hash sets created in Inspector are automatically 
saved in the .blhs format and are available for use in all Inspector cases. The Calculate Hashes 
ingestion option must be selected for Identify Known Files to work. By default, hash comparisons 
are performed using MD5 hash values. You can change this default. For more information, see 
Inspector Preferences or Options. 


Hash Sets 


Identify files from the following Hash Sets: 


Hash Set Status 
Known Windows System Files 
Hashkeeper 2.0 (Known CP) 
Hashkeeper 2.0 (Suspected CP) 
Known OS X System Files 
Uncheck All Cancel Co 


When File Carving, by default Inspector attempts to recover all listed file types. This may take 
some time. In the ingestion options, if activating the File Carving checkbox (or Carve Unallocated if 
importing an item as unallocated), select the corresponding ellipsis button for further options. A 
separate File Signature Management window opens. Here the examiner may specify the 
unallocated file types to include in the recovery attempt. For more information, see Advanced 
Evidence Recovery. 
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Below the Frequency column in the File Signature Management window, click Uncheck All. To the 
left of a file type group, select the disclosure triangle to reveal individual file types within the 
group and select only file types of interest to shorten the processing time. For more information 
about a given file type, select the file type to highlight it, and the right half of the File Signature 
Management window displays a verbal file type description and a list of typical file headers and 
footers [if available) for the selected file type. 


File Signature Management 


Se nsion SES Format Frequency (Use) EE 
s EC -dimensional image format based on Apple QuickDraw 3D 
Sr technology; may be a 3D representation of an individual 
> ee object GF á complet three-<iinensional scene; Ge bb Saeed 
> @ Ge File system from different angles with supporting 3D programs. 
v © Pictures 
QuickDraw 3D Metafile 

ABC Micrografx ABC FlowCharter ... Uncommon 

Al Adobe Illustrator File Very Common 

ART AOL Compressed Image File Common 

BLEND Blender 3D Data File Common 

BMP Device Independent Bitmap File Common 

CAL CALS Raster Graphic ‘Common 

CAM CASIO Digital Camera Picture ... Rare 

CPT Corel Photo-Paint Document Common 

DCX Zsoft Multi-Page Paintbrush File Uncommon File Signature Information 

DPX Digital Picture Exchange File Common Header(s) Footer(s) 

DRW Drawing File Common 33444046 

EMF Enhanced Windows Metafile Common 

O EPs Adobe Encapsulated PostScri... Very Common 

GIF Graphical Interchange Format ... Very Common 

ICNS Mac OS X Icon Resource File Very Common 

IMG GEM Image Rare 

JF JPEG Image File Uncommon 

JP2 JPEG 2000 Core Image File Common 

JPG JPEG Image File Very Common 

MNG Multiple Network Graphic Common 

MSP Microsoft Paint Bitmap Image Common 

PBM Portable Bitmap Image Common 

morn mana Eila lamman. 
+ New Group Uncheck All Cancel 


An examiner may also create custom, user-defined file signature databases. Once created, these 
user-defined databases appear in the File Signature Management window, and an examiner may 
add additional file signatures to the database or remove existing signatures from the database 
directly from this window. By default, user-defined file signature databases are stored in the 
/Application Support/Cellebrite/Inspector/UASignatureDBs folder. For more information, see File 
Signature Databases. 


Inspector offers the capability of calculating byte stream entropy per file, which can aid in 
discerning between items that are more likely to be encrypted versus those which are not. 
Entropy values range from 0 to 1, with values closer to 1 denoting items that are more likely to 
be encrypted. To use this feature, select Calculate file entropy. After processing for file entropy on 
an evidence item, values are displayed under the Entropy column in the Browser and File Filter 
views. Entropy is available as a sortable column for display in the Browser and File Filter views. 


A bulk extraction tool is used to perform content searches on memory files, scanning the 
evidence file for key items of interest. For more information, see Bulk Extraction Searches on 


Memory Files. 
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APFS on macos 10.15 


With the release of macOS 10.15, increased system protection was added to macOS. macOS 
Catalina runs in a read-only system volume, separate from other files. When a system is 
upgraded to Catalina, a second volume is created, and some files may move to a Relocated 


Items folder. 


Managing Case Evidence 


The boot volume was split into two pieces. On the Desktop It appears as one volume, but looking 


at it via Disk Utility, it is readily apparent there are two volumes: 


D macsso - Data 


External 


D~ + 
View Volume 
internal 


O macsso 


External 


Disk Utility 
ag @ 
First Aid Partition Erase Restore Unmount 


== MacSSD 
" APFS Volume + APFS (Encrypted) 


== _MacSSD - Data 


APFS Volume + APFS (Encrypted) 
BY macos 10:15 


SSS an 

@ Used 7 Other Volumes 
223,86 GB 13.89 GB 
Mount Point /System/Volumes/Data 
Capacity 500.07 GB 
Available: 266.17 GB (3.66 GB purgeabie) 
Used: 223.66 GB 


Type: 


Owners 


Connection: 


Device: 


@ Used @ Other Volumes 
10.97 GB 226.57 G8 
Mount Point: / 
Capacity 500.07 GB 
Available: 266.17 GB (3.66 GB purgeabie) 
Used 10.97 GB 
Disk Utility 
vr 8 
First Aid Partition Erase Restore Unmount 


Type: 


Owners 


Connection: 


Device: 


262.52 GB 


© 


500.07 GB 


APFS Volume 


Enabled 
SATA 


disk1s5 


© 


500.07 GB 


APFS Volume 


Enabled 


SATA 


disk1s1 


The volume name that appears on the Desktop appears In both volumes; the second volume has 
- Data appended to the volume name. For more information, see this topic provided by Apple: 


https://support.apple.com/en-us/HT210650. 
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This structure can also be seen when the volume is processed in Inspector. This can first be 
seen when ingesting evidence with a macOS 10.15. 


Bennett-Computer-191230.E01 (EWFimage) 
Evidence ID: Bennett-Computer-191230.E01 - 001 


Protective MBR 
512 Bytes 


— A Primary GPT Header 
512 Bytes 


— nm Primary GPT Table 
16.0 KB 


e Unallocated 
3.0 KB 


e = EFI System Partition (FAT32) 
200.0 MB 


>) Racer - Data (APFS) 
=- 29.9 GB 


a Snapshots: Racer - Data (APFS) 
[0 Selected, 4 Unselected, 0 Processed] 


>) Preboot (APFS) 
“= 23.4 MB 


4) 


= > Recovery (APFS) 
== 501.1 MB 


-7 =) VM (APFS) 
== 1.0 GB 


z} Racer (APFS) 
== 10.3 GB 


a Snapshots: Racer (APFS) 
[0 Selected, 4 Unselected, 0 Processed] 


n Unallocated (APFS) 
17.5 GB 


E] Basic data partition (NTFS) 
52.4 GB 


4) 


> F VSCs: Basic data partition (NTFS) 
[0 Selected, 2 Unselected, 0 Processed] 


e Unallocated 
472.0 KB 


This example shows a macOS system with the volume name Racer. Evidence processing options 
can be different for the two volumes and the associated APFS Snapshots. User files and data are 
stored on the <Volume Name> - Data volume. The system data is stored on the <Volume Name> 
volume and is mounted read-only when macOS is running. In addition, the system volume 
contains system .plist and database files, and system applications [pre-installed Apple 
applications). When choosing processing options keep this in mind. 
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Starting the Evidence Ingestion 


When finished with the options in the Add Evidence window, select the Start button to start the 
data ingestion. In the Component list select Evidence Status. Inspector begins ingesting and 
processing the data according to the options chosen. 


As soon as the file system is parsed, a check box will appear in the Component list for that 
evidence Item. The examiner can then browse the evidence Item in the Browser tab while the 
other processing options are finishing. 


Running or Rerunning Processing Options After Ingestion 


To run previously skipped file processing options at any time, in the Component list under 
Activity, select Evidence Status. A Run button appears for the processing options that have yet to 
execute. Click Run to execute the associated file processing option. Evidence processing status 
indicators appear in the Content pane. Status indicator labels display Preparing, Percentage 
Completed, and Finished as progress is made. 


An examiner can also run the hash set processor (Known Files) and the unallocated file recovery 
processor (File Carving] multiple times during a case. In the Component list under Activity, 
select Evidence Status. A Run button appears in the Content pane next to Known Files. When you 
click Run, the Hash Sets window appears. Select the desired hash sets to apply during 
processing and click OK. 


In the Content pane, a Rerun button appears next to File Carving for each volume or device, with 
the exception of APFS volumes. When you click Rerun, a warning dialog appears to alert the 
examiner that Inspector is temporarily removing the partition from the case and reprocessing 
the data. To proceed, click Reset in the warning dialog. For more information, see File System 
Information. 


Important: When you click Reset, tags associated with data contained on the partition are 
permanently removed from the case. 


Show Errors 


If an error occurs during the acquisition, an error badge li.e., exclamation mark within a triangle) 
appears in the Evidence list next to the device's name associated with the error. 


en Relocate Evidence... E 


Ee Export Evidence File... Ny 
Y Sy Bennett_14-087-0301_3-B., 
ol racer_backup Rename Drive... 
v ACTIVITY 


Remove from Timeline... 


> D 
ZE Remove Evidence Item... 


E Evidence Status 


Y CONTENT SEARCHES Show Errors... 


- Dar Thaft Tarmo - oo 


From the error badge, open the context menu, and then click Show Errors. A window containing a 
list of errors that occurred during data processing appears. Click Save to File to save the error 
list to a text file. 


Most data processing errors are benign, but an examiner should note these errors to preserve 
case Integrity. FileSystemID conflict errors may indicate duplicate file creation caused by file 
system corruption. Inspector automatically resolves these and other common error types. In the 
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Errors window, click Ignore to ignore an error. In the confirmation dialog box, click OK. The error 
badge is removed from the Evidence section in the Component list. 


An examiner may also perform an unallocated recovery on an entire disk if the acquisition or 
data parsing process fails entirely. 


Adding a Selected Image File on an Imported Evidence Item 


To add an image file located on an evidence item that is already in a case, select a device 
partition in the Component list, and on the toolbar click Details. In the Artifacts section at the 
lower right of the window, double-click on the Disk Images bar graph. Inspector switches to the 
File Filter view and displays a list of disk images. 


In the Content pane, select an image file to add to the case as a new evidence item. Click File > 
Add Selected. 


The Add Evidence window appears. Choose the processing options, then click Start. Inspector 
adds the image file to the case and the image appears as an Item in the Evidence section of the 
Component list. 


Adding an iOS Disk Image or Backup 


As long as you have access to the necessary encryption credentials/files, Cellebrite Inspector 
ingests and processes unencrypted or encrypted iOS disk images as well as encrypted or 
unencrypted iOS backup folders. 


The process for adding iOS evidence is begun the same way as adding any form of evidence to an 
Inspector case. For more information, see Adding Evidence to a Case. 


Adding Unencrypted iOS Disk Images 


Use the Add Evidence window to import unencrypted bit-by-bit forensic iOS images [allocated, 
unallocated, and free space) acquired from iOS devices. Note however, that devices running iOS 
version 4.0 or higher are encrypted at the block level, and therefore full data recovery from 
unallocated space is not possible. Email cannot be retrieved. 


Inspector ingests the following unencrypted iOS disk image formats: 


e ElcomSoft 

e Celebrite 

e AM 

e MPE+ (Tarball image] 

e iPhone-Dataprotection & Lantern Lite 


Adding Encrypted iOS Disk Images 


Some third-party 10S image acquisition tools do not create a decrypted disk image by default. 
Instead, the acquired bit-by-bit forensic image file remains in an encrypted state after 
acquisition, and a decryption key file that decrypts the image is included with the acquisition. 
However, some of these third-party tools do have a decrypted image acquisition option. If you 
select this option, a second unencrypted image is created during the acquisition process. 
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Inspector imports encrypted third-party iOS forensic images. To conserve disk space, Inspector 
does not use the decryption key to create a second unencrypted image. Instead, Inspector uses 
the decryption key to decrypt the image on the fly as the image is imported. 


Inspector imports the following encrypted iOS disk image formats: 


e Cellebrite (.ufd] 
e MPE+ (dd8 images that are not pin-locked]) 
e iPhone DataProtect & Lantern Lite 


When adding an encrypted iOS forensic image to a case, the Open Decryption Key File window 
appears. Select the decryption key file and click Open. 


Inspector imports the encrypted disk image and uses the decryption key to decrypt the image on 
the fly as the image is imported. 


Adding iOS Backup Folders 


Inspector acquires logical data from an iOS backup file le, iTunes backup). An iOS backup file 
may not contain current data, but data recently deleted from an 10S device may be recovered 
from a backup file. Therefore, acquiring data from this file can be important. Backup files do not 
contain applications [iOS version 4.0 and higher) music, movies, etc. 


To add an iOS backup folder to a case, navigate to the iOS backup folder and select only the top- 
level directory of the iOS backup. A device's top-level directory has a 40-character UDID name 
value and has other similarly named folders inside. 


Activate the checkbox for the iOS backup that is to be imported. If it is an encrypted backup, a 
lock icon will be displayed next to the backup name and the device will be deselected. Select the 
encrypted backup in the middle column, and a dialog window opens, prompting for the encrypted 
backup password that was in effect when the backup was made. Enter the password and click 
Confirm Password. Without the backup password, only ancillary data will be available for 
collection - media and some third-party application data. 


Inspector does not attempt to crack this password, however there are several third-party 
applications available that do. For more information, see this topic provided by Apple: 
http://support.apple.com/kb/ht4946. 


In the middle portion of the Add Evidence window, an Evidence ID text box is shown, and this text 
box can be clicked and edited with an alphanumeric evidence ID for the iOS backup folder. 


Choose the desired ingestion options and click Start when ready to begin the import. 
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Ingest GrayKey Images 


Inspector can ingest and process Graykey images. Doing this provides access to the data In the 
images through parsing, and it also allows full filesystem analysis. GrayKey images are supplied 
as zip files. 


b ap ce46edadab95d64c02814ba376c71e00a6301_files.zip 
1b1ce46edadab95d64c02814ba376c71e00a6301_keychain.plist 

IN ce46edadab95d64c02814ba376c71e00a6301_mem.zip 
1b1ce46edadab95d64c02814ba376c71e00a6301_passwords.txt 


You can add each of these to Inspector by dragging and dropping them onto your case, or you 
can click Add. 


When the Add Evidence window appears, choose the options and click Start. 


EES ES 51f945480aafafbb96de45c054b0cdfa...les_full.zip (TariOSExtraction) ` Processing Options: 


EE Evidence ID: 51f945480aafafbb96de45c0S4b0cdfa53faa0e7 files fullzip D 51f945480aafatbb96...TariOSExtraction) 


Files / Folders / Disk Images aa Preview ` e Triage Comprehensive 


Se Een Model Version iPhone X (M...02, A1903) 
4 
51f945480aafafbb...._files_full.zip Gite 404 


Product Type iPhone10,3 
Serial Number FA7WKC33JCLF 


v File Signature Analysis 
Picture Analysis 
Video Analysis 
Process Archives 
Process OCR Image Text 
= Calculate Hashes 


Identify Known Files 

File System Journal Analysis 
Spotlight Parsing 

OS Event / Security Logs 


‘Smart Indexing 


Mail Parsing 


Activity Correlation, 


Calculate File Entropy 


Manage Passwords... 


Refresh Remove 1of 1 selected Cancel Start 
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Inspector processes the GrayKey zip file just as if it were processing an iOS backup, except with 
much more data. This depends on which zip file you choose, since GrayKey provides these types. 


e <name>_files.zip contains the entire file system dump. 

e = <name>_backup.zip is an iOS backup version. 

e <name>_mem.zip lets you choose whether to bring It in as a simple zip archive so you can see 
the contents, or as a folder so you can do a full bulk extraction on it to get evidentiary items 
like IP addresses, email addresses, and so on. 


ene EA inspector Case.inspector 


Date Created Date Modified Date Accessed Date Added Vorsionindex Size. Extension c 


2018-08-29 07:14:21 (UTC) 2018-08-29 07:14:21 (UTC) 2018-08-29 07:14:21 (UTC) 


& © soorcane s 2018-03-14 1218:15 (UTC) 2018-03-14 12:18:15 (UTC) 2018-03-14 12:18:15 (UTC) apres 
70 2018-03-141217:81 (UTC) 2018-03-14 12:17:51 (UTC) 2018-03-14 12:17:51 (UTC) 
a 2018-03-14 12:18:18 (UTC) 2018-03-14 12:18:15 (UTC) 2018-03-14 12:18:16 (UTC) 
age 2018-08-14 72:26:34 (UTC) 2018-03-14 12:25:88 (UTC) 2018-03-14 12:25:34 (UTC) aper 
2018-03-14 12:18:14 (UTC) 2018-09-18 01:23:27 (UTC) 2018-09-14 12:18:14 (UTC) 
v activity 2018-03-14 12:24:58 (UTC) 2018-11-14 05:14:07 (UTC) 2018-03-14 12:24:58 (UTC) 


E Evidence Status 2018-03-14 12:24:58 (UTC) 2018-03-14 12:26:58 (UTC) 2018-03-14 12:24:58 (UTC) 


$ export satus 1970-01-01 00:00:00 (UTC) 2018-03-05 20:08:36 (UTC) 2019-03-05 20:08:38 (UTC) 

> Bäreetee 2018-03-14 123901 (UTC) 2018-03-14 1219:01 (UTC) 2018-03-14 12:19:01 (UTC) 
mos > 2018-09-14 12-6160 (UTC) 2018-09-14 12:19:09 (UTC) 2018-09-14 12:18:59 (UTC) 
+ 2018-03-14 1224:57 (UTC) 2018-08-25 18:08:00 (UTC) 2018-03-14 12:24:87 (UTC) 
CONTENT eens 2018-03-14 12:24:57 (UTC) 2018-11-14 05:16:42 (UTC) 2018-03-14 12:24:57 (UTC) 
2018-03-14 122857 (UTC) 2018-03-14 1224:57 (UTC) 2018-03-14 12:24:87 (UTC) 


Y INDEX SEARCHES 


Q walking dead 


2018-04-25 18:038 (UTC) 2018-11-30 18:26:41 (UTC) 2018-10-20 03:59:12 (UTC) 
2018-05-20 18:34:27 (UTC) 2019-03-05 20:24:38 (UTC) 2018-08-30 15:34:27 (UTC) 
2018-04-25 18:10:14 (UTC) 2019-03-08 20:24:38 (UTC) 2018-04-25 18:10:14 (UTC) 
investioanve nores 2018-04-25 18:08:37 (UTC) 2018-10-20 02:68:51 (UTC) 2018-10-20 03:58:51 (UTC) 
` 


14-25 18:08:37 (UTC) 2018-10-20 03:68:51 (UTC) 2018-10-20 03:58:51 (UTC) 
2018-04-25 18:08:39 (UTC) 2018-03-05 20:25:04 (UTC) 2018-04-25 18:08:39 (UTC) 
2018-04-25 18:08:37 (UTC) 2019-03-05 20:16:11 (UTC) 2018-10-20 03:56:51 (UTC) 
2018-04-25 18:08:37 (UTC) 2018-10-20 03:58:51 (UTC) 2018-10-20 03:58:51 (UTC) 


Flold value 


Sue ` Sam (Preview Metadata ` $ Location d Record 2 


Navigation through a GrayKey image looks just as if it came straight from the device itself. 


ene E inspector Case.inspector 


ae 


A Calis Messages ` Ate ` e Voice 8 voice Memes Favorites EJ Contacts ` Email 


ate ^ | contacts Duration (HH:MM:SS) status 
Prone 2016-10-10 15:5024 (UTC) (510) 304-4782 EE 
2016-10-11 16:37:42 (UTC) Vickie 7 WB mp & © & Chan ( (408) 609-... 00:00:03 
2017-03-07 17:08:38 (UTC) Nam Nguyen ( (208) 520-8302 ) 00:00:00 Miss 
2017-03-07 17.2535 (UTC) e 000-00 Missed 
2017-02-07 17:26:26 (UTC) Im 00:00:00 DE 
2017-03-08 2110:23 (UTC) (08) 881-0568 ae 
2017-03-08 2170:46 (UTC) (408) 651-0546 zen 
Prone 2917-03-08 2110:50 (UTC) (408) 831-0548 00:00:47 
2017-03-08 2112:40 (UTC) (408) 831-0546 00:00:05 
2017-02-08 2112:54 turc) (a08) 81-0546 ane 
mes za 2017-03-08 21:14:04 (UTC) (408) 831-0548 0:00:05 
2017-03-08 219505 (UTC) 408) 831-0546 00:00:05 
CONTENT SEARCHES 2017-03-08 2118:34 (UTC) (408) 831-0548 zogen 
Yosh Xato Nexus 5 ( (408) 382-9957) 00:0033, 
INDEX SEARCHES, Vickie © Ws 8 G Chan ( (408) 608-... 00:00:00 Missed 
Q waking dead Vickie © © 6&8 O chan ( gen 00:00:00 Mise 
INVESTIGATIVE NOTES 
zeng DE 
0120-00 canceled 
= 2018-02-22 17.0107 (UTC) Vish khan 00:90:38 
Field Val Maen p0.99-22 70RA LUTGA Vish Khan EE 
Sue ` Sne [Preview Metadata Location d Record = 


Adding a Memory File 


Every bit of data being created, viewed, or destroyed goes through RAM, including all web- 
browsing activity, editing of documents, viewing of pictures, sending and receiving of network 
data, execution of applications, etc. Some types of artifacts only exist in RAM, and many types of 
ephemeral operating system artifacts are never stored to disk (e.g., what applications are 
currently running, what files and network connections are currently open, or what drivers are 
loaded]. RAM artifacts can potentially tell examiners if malware, anti-forensics tools, or 
encryption software was running, If the machine had open network connections to known 
websites of interest, and/or what picture files a viewer application had open. 


An in-depth study of memory forensics is outside the scope of this manual. 
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The process for adding a memory file is begun the same way as for adding any form of evidence 


to an Inspector case. 


For more information, see Adding Evidence to a Case. 


Inspector automatically identifies a memory file and Processing Options are adjusted. You can 


perform a Quick Scan (default) or a Deep Scan. The Quick Scan option is faster and searches the 


most likely locations. Deep Scan takes more processing time and searches in additional 


locations less likely to yield content. 


d Cellebrite 


Processing Options: 
Lo EFI System Partition (FAT32) 
OPreview O Triage O Comprehensive 


M Extract Data 


M] DB Recovery 


M File Signature Analysis 


Picture Analysis 


Video Analysis 


(Process Archives 


[C Process OCR Image Text 

[E] Calculate Hashes 

Identify Known Files A 
File Carving 

File System Journal Analysis 

Spotlight Parsing 


OS Event / Security Logs 


Oo 

oO 

Oo 

Oo 

(Smart Indexing 
C Content Search (Bulk extraction) 
O Mail Parsing 

O Activity Correlation 

iCloud Backups 


M Hiberfil.sys / Pagefile.sys 


@ Quick Scan O Deep Scan 


[C Calculate File Entropy 


Manage Passwords... 


No Templates 
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If attempting to add a hiberfil.sys (Hibernation) file, a separate window will open prompting for 
the Windows OS version that was used to create the file. Choose the operating system version 
from the drop-down menu and click Confirm Version. If you select Unknown Version from the 
drop-down menu, memory parsing will not be run. However, file carving and content searching 
can still be run from the Add Evidence window if desired. 


Add Evidence 
Attached / Mounted Disks 


Memory File Name: hiberfil.sys 
Attached Mobile Devices 


In order to process the memory file, the operating system version the file came from 
Files / Folders / Disk Images is required. Windows Vista and newer versions are currently supported. 


By selecting Unknown Version from the drop down below, memory parsing will not be 
run. If selected in Evidence Selection, file carving and content searching however will 
be run. 


v <select operating system version> H 

Vista 
Vista Service Pack 1 
Vista Service Pack 2 

1 Windows 7 P 
Windows 7 Service Pack 1 
Windows 8 
Windows 8.1 
Windows 10 
Windows 10 (v1511) 
Windows 10 (v1607) 
Windows 10 (v1703) 
Windows 10 (v1803) 
Windows 10 (v1809) 
Unknown Version 


Microsoft Symbols 


Inspector requires Microsoft symbols in order to process Windows memory files. If Inspector 
does not have access to these symbols, nothing can be extracted from memory files. These 
symbols are stored on the Microsoft Symbol Server, which can be accessed over the Internet. 
You can manage preferences for accessing Microsoft symbols from the Microsoft Symbol Server. 
For more information, see Inspector Preferences or Options. 


@ Microsoft Symbols Settings — x 


To process memory files (memory dumps, hibernation and page files) Inspector will install a default symbol set to 
the ‘Symbols Location’ below. Inspector can download new symbols from the Microsoft Symbol Server or an 
internal Symbol Server. 


Warning: An internet connection is required to download from the Microsoft Symbol Server. To process memory 
files without connecting to a Symbol Server, copy all required symbols to the ‘Symbols Location’ below. 


M Enable downloading of symbols from address specified here. 
Symbol Server: | https://msdl.microsoft.com/download/symbols 


Specify where you want to store the downloaded symbol files. 


Symbols Location: | [f:\Users\heidi\AppData\Roaming\Cellebrite\Symbols e | 


Report missing symbols to Cellebrite 


The Symbols Location field is the location where Inspector is set to install a default symbol set, 
and it is location where for any downloaded symbol files are saved. Selecting the folder icon 
allows you to choose a different location for symbols. Click Reset, and Inspector restores the 
Symbols Location field to the default path. 


Inspector can download new symbols from the Microsoft Symbol Server or an internal server. By 
default, the checkbox is activated to enable downloading of symbols, and the Microsoft server 
address is selected. An Internet connection is required to download from the Microsoft Symbol 
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Server. To disable automatic downloading of symbols, unmark the checkbox for Enable 
downloading of symbols from address specified here. 


By default, Inspector sends anonymized data about the necessary symbols back to Cellebrite, so 
that we can consider including the symbols in our future symbol packs. Reporting can be 
disabled by unmarking the checkbox for Report missing symbols to Cellebrite. 


To connect to an internal symbol server, change the address in the Symbol Server field. 


To process memory files without connecting to a symbol server, copy all required symbols to the 
location shown in the Symbols Location field. 


If you have disabled symbol downloading or you have no Internet connection, Inspector may fail 
when processing a memory file. In this case, if you right-click the error badge for the memory 
file and click Show Errors, a window appears offering these options. 


( Symbol Download Failure 


An internet connection is required to download symbols needed for processing. To resolve, please 
select one of the following options: 


Install all known symbols with the Inspector Symbols installer and click Reprocess 
http://community.cellebrite.com/ 
Connect to internet and click Reprocess 


O Select external drive and click Copy Utility 


Select Drive... 


Cancel 


1. Download and install the offline symbol pack from Cellebrite, which contains all of the 
currently known symbols. (In most cases this will be adequate.) 

2. Connect to the Internet and reprocess. 

3. Copy a utility to an external drive (such as a USB drive), which can then be connected to an 
Internet-connected computer and run. The symbols are downloaded to the USB drive. The 
USB drive is then connected back to the computer running Inspector, and the symbols are 
copied over. (To do this, click Select Drive, select the external drive, then click Copy Utility.) 


Analyzing Memory Files 


After a memory file has been added to Inspector and processed with the desired processing 
options, the parsed contents can be analyzed. In the Browser view, files carved from the memory 
file are separated by type and then file type extension. Each file can be viewed within the 
appropriate Inspector view. For instance, if any pictures have been carved from the memory file, 
they can be viewed in the Media view. 


Memory file artifacts can also be viewed within the Memory sub-view. On the toolbar, click 
System > Memory. For more information, see System View. 


When the examiner runs processing options on a memory file, Inspector uses a bulk extraction 
tool to perform content searches, scanning the evidence file for key items of interest. For more 
information, see Bulk Extraction Searches on Memory Files. 
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Adding a USB Attached Mobile Device 


Inspector can logically acquire and process an attached iOS li.e., iPod, iPhone or iPad] or Android 
device. The process for adding an attached mobile device is begun the same way as for adding 
any form of evidence to an Inspector case. For more information, see Adding Evidence to a Case. 
Additional steps and considerations pertaining to mobile devices are discussed below. 


Settings for Android Devices 


For the analysis system to recognize an Android device, make sure the Android device is 
unlocked, and that the USB debugging mode has been selected from the Developer options (or, 
on some devices, Development} in the device's Settings menu. The USB debugging option may 
have to be selected and unselected a few times on some Android devices. 


Once the device is in USB debugging mode, and the RSA key fingerprint has been created by 
tapping OK, it is sometimes necessary to change the mode of the device. In order to do this, 
swipe down from the top of the device screen and choose the USB computer connection option. 
From here, Media device (MTP), Camera (PTP), or Internet mode can be chosen. While Media 
device (MTP) is the most common mode, the user may have to try Camera (PTP) or Internet mode 
for the device to be recognized. 


Adding Evidence from a USB Attached Android or iOS Device 


When a live Android or 10S mobile device is attached, and the PIN has been used to unlock the 
device, data can be acquired. The device will be shown in the Attached/Mounted Devices area. By 
highlighting the device, its information is revealed in the middle portion of the window. 


Add Evidence 


Attached / Mounted Disks EZI eme ipad (i0s) Processing Options: 
Attached Mobile Devices Evidence ID: |Pad - 001 D iPad (ios) 


E iPad Preview © Triage Comprehensive 


Model Version iPad mini (Sth generation) 
Files / Folders / Disk Images + Add Gendt. SC 
Data Available 150.168 Extract Data 
Data Used 88.2 6B 
OS Version 14.4 
Product Type eg? File Signature Analysis 
Model Number Full MUUS2LL/A (USA) 
Firmware Version iBoot-6723.80.19 
‘Serial Number DMPZL358LM99 Video Analysis 
uDID 00008020-...3683002E 
WiFi Address cc:d2:81:d3:f0:18 
28:04 


DB Recovery 


Picture Analysis 


Process Archives 


Process OCR Image Text 


@ Calculate Hashes 


Identify Known Files 


Smart Indexing 


Mail Parsing 


Activity Correlation 


Calculate File Entropy 


Manage Passwords... 


Refresh 1of1 selected Cancel see] 
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When finished with the options in the Add Evidence window, click Start to start the data 
acquisition and processing. In the Component list select Evidence Status. Inspector begins 
acquiring and processing the data according to the options chosen. Disconnect the iOS device 
only after the acquisition is complete. 


Additional Notes on Adding Mobile Devices to a Case 


When an examiner adds a USB attached mobile device, Inspector acquires logical data [not a bit- 
by-bit forensic image acquisition) from an attached device and places the data into the case file. 
When iOS data is acquired using this option, Inspector leverages the iTunes API backup 
functionality. However, it is important to note that this acquisition is much more thorough than a 
simple iTunes backup. A special low-level connection is also established, and additional data not 
contained in a normal iOS iTunes backup is also acquired. This is the best method to use to 
acquire and examine logical iOS data when a physical image is not possible. 


Because Inspector does not forensically image or jailbreak iOS devices, email is not acquired. 
But SMS/MMS messages, contacts, phone calls, voicemails, pictures, etc., are. 


Acquiring data using this method may cause a case file to become quite large, depending on the 
size of the iOS device, so be sure the case is stored on media with the appropriate capacity. 


It is best to disable wireless connectivity on mobile devices before acquiring data from them. 


Some iOS applications may cause data acquisition or processing to fail. If this happens, quit and 
relaunch Inspector. The acquisition may continue successfully. If another failure occurs, remove 
the 10S device and re-add it to the case with different processing options selected. You can find 
debugging Instructions and additional troubleshooting information in File System Information. 


If adding an Android device that is “rooted,” ensure that the device's developer option for Root 
Access is set to Apps and ADB before beginning the collection. If this Root Access option is set to 
Apps Only, Inspector may not be able to properly interact with the device. 


Adding Other Attached Devices 


An examiner may use Inspector to perform an analysis of attached devices. These include a 
mounted device such as a .dmg image, a Time Machine/Time Capsule image, an external 
FireWire or USB drive, or a mounted .E01 file. For more information, see Appendix 2 - 
EWMounter. 


The process for adding attached devices is begun the same way as for adding any form of 
evidence to a Inspector case. For more information, see Adding Evidence to a Case. 


efore attact d ng ane id 
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Adding a Mobilyze Case 


Cases created and stored with Mobilyze, Cellebrite’s mobile device triage tool, may be added to 
an Inspector case. Mobilyze has the potential to acquire some types of data that cannot be 
displayed within that application, yet will be viewable in Inspector, which is designed for more 
comprehensive analysis. 


To add a Mobilyze case to Inspector, follow the same process as for adding any form of evidence 
to an Inspector case. For more information, see Adding Evidence to a Case. 


In the left pane of the Add Evidence window, click Add. Navigate to the desired Mobilyze folder 
and click Select. The Add Evidence window recognizes the folder as a Mobilyze case and notes it 
as such in the middle pane. 


When finished with the options in the Add Evidence window, click Start to begin adding the 
Mobilyze case to the Inspector case. 


Adding a Folder or File 


You may add targeted or triaged evidence stored in individual folders or files to a case. 


The process for adding a file or folder is begun the same way as adding any form of evidence to 
an Inspector case. For more information, see Adding Evidence to a Case. 


Inspector imports and processes the chosen evidence items, and they are displayed in the 
Evidence section of the Component list. 


Adding Evidence Using Drag and Drop 


You can add data to a case in Cellebrite Inspector using the drag-and-drop method for these 
data ingestion options. 


e Disk Image: Add a forensically acquired or virtual disk image (DMG, DD, VMDK, E01, Ex01, 
L01, S01) 

e Folder: Add a folder and folder contents 

e File: Add a file 


For more information, see Tags. 
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Select one of the above data source types from Finder and drag it onto the Component list. A 
border appears around Evidence. Drop the file onto the Component list and the Add Evidence 
window appears. 


Cem EEE) > 


v E Bennett-Computer-20052... 

Lon © Racer - Data 
O O Racer E 
Ka Kai BOOTCAMP 

@ © Bennett-Mem.dmp 

The6 

a ©) Tenisha's iPhone 

ear Ford_iVeExport.ivx | 

- 
v ACTIVITY 
E Evidence Status 


vr Export Status 


From this point, follow the same process as for adding any form of evidence to an Inspector 
case. For more information, see Adding Evidence to a Case. 


Inspector imports and processes the chosen evidence items, and they are displayed in the 
Evidence section of the Component list. 


Adding Berla iVe 


Working with Berta Corp, Inspector is capable of importing data exported from Berla iVe. Berla 
Corp is the industry leader in vehicle forensics. Vehicles contain a vast amount of data useful 
during an investigation. Data such as routes, vehicle events, location data, connected devices, 
and media can all be contained in computers in a vehicle. Once the data is acquired using the 
Berla iVe ecosystem, it is then imported into Berla’s iVe forensic software. Berla Corp has added 
an option in iVe Desktop to export data to a .ivx database for import into Inspector. 


Choose the .ivx file in the Add Evidence window. 


Inspector ingests the .ivx database and processes the data. 


one BB inspect 


Evidence 1D: Ford_IVeExportivx - 001 


Fold Value 
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All of the data included in the .ivx database can be viewed from the Browser view, using the 
Preview tab in the File Content view. 


one E inspector Case.inspector 


Date Accessed Date Added Version index size Extension Content Extension 
4974 (UTC) 2019-11-05 18:4116 (UTC) = 

(26:05 (UNKN) 2019-05-30 21:27:59 (UNKN) 222MB int soute 

15:54:05 (UTC) 2020-05-08 20:52:47 (UTC) S 


© oms B 


‘Value (Little Endian) 


1D ~ patetime Accuracy 
2017-41-08 
2017-71-08, 
zeman 
zown 
zeman 


zonna 


Lite ran H 


na ~ Ford VeExport ive 


Parsed data is visible in these views in Inspector. 
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o Device Connections 

o File Knowledge (Recent Items] 
o Account Usage [Top Contacts] 
Communication (Calls, Contacts] 
Locations (Map View, Location List) 
System (System Log) 


one a inspector Case.inspector 


W map view Petecation ist ` $ wn ` Mapping Apps 
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2017-11-30 20:07:21 (UNKN) 
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Adding iCloud Productions 


With the proper search authority, Apple provides data from a user's iCloud account using that 
person's Apple ID. A myriad of data can be stored in a person's iCloud account including multiple 
device backups. iCloud Production files from Apple are sent in an encrypted GPG format. These 
files must be decrypted prior to ingestion. If an examiner attempts to add encrypted GPG files, 
Inspector will display a prompt indicating the GPG file must be decrypted. Decryption of the GPG 
file results in a .zip file. 


The process for adding an iCloud Production .zip file is begun the same way as adding any form 
of evidence to an Inspector case. For more information, see Adding Evidence to a Case. 


Ingesting data from iCloud production files relies on the formatting of these files. If Apple 
chooses to alter the format of the data in Cloud Production files, Inspector may cease to Identify 
iOS device backups in the iCloud production files. 


Some users do not store device backups in iCloud. Some iCloud Production files do not contain 
device backups. If this occurs, the iClouds Backups processing option will not be available for 
that set of iCloud Production files and Inspector will identify the file as a ZipArchive. 


Attached / Mounted Disks BER az jbennett_mac@me.com_20190509.zip (ZipArchive) Processing Options: 
Attached Mob 


Evidence ID: BB_jbennett_mac@me.com_20190509.zip - 001 BR 88_jbennett_mac@m...zip (ZipArchive) 
ges [+ Ad | Preview Oe: ` ` ` Comprehensive 


mett mar m_20190509.zip | 


Files / Fol 

o [E pp pen 
elen Date Created 2020-08-29 07:31:49 (UTC) 
Date Modified 2019-05-20 14:11:25 (UTC) E Extract Data 
Owner drew Da Recover. 
Group staff 
Path Nolumes/Eng_Syn...om_20190509.zip File Signature Analysis 
Extension zi 

p Picture Analysis 
Writeable True Video Analysis 
Process Archives 
Locked False Process OCR Image Text 
G Calculate Hashes 


Identify Known Files 


File System Journal Analysis 
Spotlight Parsing 

OS Event / Security Logs 

Smart Indexing 

Content Search (Bulk extraction) 
Mail Parsing 

Activity Correlation 


RE 


Hibertil.sys / Pagefile.sys 


Calculate File Entropy 


Manage Passwords... 


Refresh Remove 1 of 1 selected Cancel Start 
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For iCloud productions containing iOS device backups, Inspector identifies the zip files as an 
iCloudBackupArchive. The device backups are detected, and the processing option iCloud Backups 
is available and will be automatically marked. Some iCloud accounts contain multiple backups 
for the same device and backups for different devices. 


Add Evidence 


Attached / Mounted Disks BER nz fox.tenisha@icloud.com_20190510.zip|(icloudBackupArchive) Processing Options: 
Attached Mobile Devices E a D BB.fox:tenisha@icl.. oudBackupArchive) 
ee. `. E Coins 
© F ep mm 201 E R 
JEE Date Created 2020-08-29 07:11:15 (UTC) 
E BB_fox.tenisha@i...om_20190510.zip| Date Modified 2019-05-20 14:09:43 (UTC) Extract Data 
Owner drew ee 
Group statt 
Path NNolumes/Eng_Sync...com_20190510.zip File Signature Analysis 
Ext 
Kee Si Picture Analysis 
Readable Tue 
Writeable True Video Analysis 
ee e Process Archives 
Alias False 
Locked False Process OCR Image Text 
© calculate Hashes 
Identify Known Files 
File System Journal Analysis 
Spotlight Parsing 
OS Event / Security Logs 
Smart Indexing 
Content Search (Bulk extraction) 
Mall Parsing 
Activity Correlation 
t ` 
Calculate File Entropy 
Manage Passwords... 
Refresh Remove 2of 2 selected Cancel 


As the data is ingested, Inspector first identifies the zip file as ;CloudBackupArchive. This can be 
seen in the Evidence Status section of the Component list. 


Ei H © 9 B 


Case Info Details Timeline Report 


Y EVIDENCE 
OF 


iCloudBackupArchive (No Volume Label) 


H 2021-03-25 16:16:22 (CDT) & Parsing 5982 files 
H Processing (e Extract Data Pending 
zip 


e ACTIVITY (0) E DB Recovery Pending 


E Evidence Status 


| > Export Status 


TAGS 


CONTENT SEARCHES 


INDEX SEARCHES 


INVESTIGATIVE NOTES 


iCloudBackupArchive (No Volume Label) 


eege Starting Procesaes- 
[2021-03-25 16:16:19 (CDT)] - 
Version: Inspector 10.3 (20210325.043837-7f8f631) 
Case Path: /Users/drew/Desktop/iCloud\ backup.inspector 
Evidence Path: /Volumes/Eng_Sync_Data/TEST06/mobile/iCloud_Productions/bbt-in 
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Once parsing completes, Inspector changes the Evidence Item name to the name of the .zip file. 


Doud ba 


Gi P © © Be Ei Ze & 


Case Info Details Timeline Report Share Browser File Filter Actionable Intel 


Y EVIDENCE 


BB_fox.tenisha@icloud.com_20190510.zip 
YE BB_fox.tenisha@icloud.com_201... 


i B 2021-03-25 16:16:22 (CDT) © Parsing 
E] Processing © Extract Data 
e ACTIVITY 2 o © DE Recovery 


W Evidence Status 


vr Export Status 


CONTENT SEARCHES 


INDEX SEARCHES 


INVESTIGATIVE NOTES 


BB_fox.tenisha@icloud.com_20190510.zip 


EE Starting Processes--------------------- 
[2021-03-25 16:16:19 (CDT)] - 
Version: Inspector 10.3 (20210325.043837-7f8f631) 
Case Path: /Users/drew/Desktop/iCloud\ backup.inspector 
Evidence Path: /Volumes/Eng_Sync_Data/TEST06/mobile/iCloud_Productions/ 


[2021-03-25 16:16:22 (CDT)] - Parsing started. 
[2021-03-25 16:21:54 (CDT)] - Parsing finished. 
[2021-03-25 16:21:55 (CDT)] - Web Cache started. 
[2021-03-25 16:21:55 (CDT)] - Web Cache finished. 
= [2021-03-25 16:21:55 (CDT)] - Extract Data started. 
q [2021-03-25 16:21:59 (CDT)] - Extract Data finished. 
Field Value [2021-03-25 16:22:01 (CDT)] - File Typing, Metadata Processing started. 
[2021-03-25 16:22:01 (CDT)] - DB Ri ery started. 


Before iOS device backups are parsed, all other processing options must complete on the zip 
file. Once the iCloud process starts, the process on Evidence Status displays how many device 
backups there are. 


D BR icioud backup inspector 
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As the iOS backups are processed, they are added one at a time. 
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As Inspector parses the data stored in the backups, the temporary name /cloudfsstore is applied 
to the backup. Once parsing begins on a backup, the name is changed to the Device Name of the 
iOS device. 


As the iOS backups process, data on the backups can be viewed and examined. 


Adding UFED and Premium CAIS Acquisitions 


Cellebrite Inspector supports UFED [segmented .zip) versions as well as Premium Cellebrite 
Advanced Investigative Services .dar formats for mobile device acquisitions. 


When ingesting a UFED acquisition, point Inspector to the main .zip file for UFED extractions and 
the .dar file for Premium extractions. 


If the IOS device is encrypted, you can select the device to enter the password in the Processing 
Options panel. You can find that password in the .ufd file accompanying the .zip file. If the 
password is validated the device is processed normally. 


After Inspector parses a .zip file, the iOS file within the .zip file is parsed. You can see the 
additional item in the Evidence Status view and the Component list. The name of the iOS device 
changes during processing is is final when processing is complete. 


You can investigate both the .zip file and the 10S device. The view depends on which evidence 
item you select. 
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Remove Evidence from a Case 


You may remove an evidence item from a case. 


1. In the Component list under Evidence, right-click the evidence item to be removed. 
2. Click Remove <Item Name> from Case. 


V EVIDENCE e Details For: E Bennett-Computer-20( 
v @ SZ Bennett-Computer-20052... 
Le @ Racer - Data 
O @ racer Bennett-Computer-200520.E 


|) © Bootcamp 


Name 
@ ©) Bennett-Mem.dmp Disk Protocol 
D © tes Zeg 

Total Size 
@ © Tenisha's iPhone Disk Hash 


Sa Ford_iVeExport.ivx 


v E GoldMacB— aaaea 
SS Relocate source for 'GoldMacBook_160817.E01'... 
o B Oma 


Rename drive 'GoldMacBook_160817.E01'... 


v ACTIVITY 


E Evidence Status o 


3. Inthe confirmation dialog, click Remove. 


Move a Case File to a Different Computer 


You can move a case file to a different computer for another examiner to look at. You must first 
create a case archive to move or copy it. 


In the Case Manager window, select the case file. 

Click File > Create Case Archive. 

Choose the location to export the case file to, and then click Save. 

On the computer where the case should reside, open Inspector. 

Click File > Restore Case Archive. 

Navigate to the location of the saved archive from Step 3, select the archive folder, and then 
click Open. 

This message appears: Would you like to restore this archive to a local case? 
Create a new case on this local system. 

7. Click Local Case. 

8. Navigate to the location on this computer to restore this case file to, name the case, and then 
click Save. 


OF Oe 


When restoration is complete, the case file opens in Inspector. 
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Relocating a Disk Image 


If you move a disk image In a case to a new location on the same disk, Inspector automatically 
recognizes the image's new location. However, if you move the image to a new location ona 
different disk, such as a network share, Inspector does not recognize the disk image's new 
location. Therefore, <Disk Unavailable> appears next to the item in the Component list. 


e EVIDENCE </> 


v @ 3 Bennett-Computer-20052... Name 


La @ Racer - Data > (© Bootcamp 

"al @ Racer > (©) Racer - Data 

G © Bootcamp > © Tenisha's iPhone 
` ` @ © Bennett-Mem.dmp > BO Thee 


HN eme Relocate source for 'The6'... 


H O Tenish Export evidence file for 'The6'... 


Rename drive 'The6'... 
e ACTIVITY 


Remove 'The6' from Case... 


D Evidence Statt e 


You must navigate to and select the disk image from within Inspector before data from the 
device Is once again available for examination. In the Evidence section of the Component list, 
right-click or CTRL+click the device and then click Relocate Evidence from the context menu. In 
the navigation window, locate the disk image and select it. Inspector automatically links to the 
disk image in its new location and displays it in the Evidence section of the Component list. 


Exporting Mobile Device Evidence 


You may need to export mobile device evidence to collaborate with another examiner or for e- 
Discovery purposes. 


In the Component list under Evidence, select the mobile device evidence item to be exported. 
Right-click the device and click Export Evidence File from the context menu. 


Select the destination for the exported file and click Save. You can monitor the progress of the 
export by selecting Export Status in the Component list. 


The exported file for the mobile device evidence is named Files. bbtar. 
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Hashing and Verifying Forensic Evidence 


To generate a disk image hash value, on the toolbar, click Details, choose the dropdown option 
for the device. The Calculate Disk Hash link appears. 


tails For: Æ Bennett-Computer-200520.£01 E] 


Bennett-Computer-200520.E01 


Click Calculate Disk Hash, and a Hash Types window appears. Select any or all of the hash type 
checkboxes. 


As Inspector generates the hash values, a “Hashing” progress bar overlay appears in the Case 
Window. After hashing is complete, the hash values are displayed. 


You can copy and paste text from the device description a text file or export the text to a 
spreadsheet or database file. Select any or all of the device description text, then use your 
operating system's shortcut keys to copy and paste the text into your text file. To export the 
selected text items to a tab-delimited or CSV file, select text items in the Content pane, then 
open Inspector's context menu and click Export Selected Rows. 


You must manually verify (compare) hash values from a dd or .dmg image, as these types of 
images [raw images] do not store hash values. However, because E01 hash values are stored in 
the E01 image itself, when you click Calculate Disk Hash, Inspector compares the generated E01 
image file hash value to the hash values stored in the image file. If the hash values match, the 
word Verified- appears along with the generated hash values. Click the Calculate Disk Hash link 
any time to recalculate the disk hashes. 


The known OS X and Windows hash sets have been updated to use hashes from hashsets.com. 
This increases the number of OS versions and total amount of hashes for hash comparisons, 
allowing you to filter out a larger number of unnecessary system files. 


Inspector supports hash sets containing MD5, SHA-1, and SHA-256 hash values. Inspector 
allows you to import hash sets saved as text files as long as the file contains one hash value per 
line with each line separated by a carriage return. Inspector automatically identifies the type of 
hash value stored in the text file. 


Custom hash sets created in Inspector are automatically saved in the .blhs format. Hash sets 
can be created containing MD5, SHA-1, SHA-256 or any combination of the three. Choose the 
hash types to be included in the hash set in the Hash Set Export window. 


Select hash sets to export. 


v MDS 
SHA-1 


SHA-256 


Cancel Continue 
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Advanced Evidence Recovery 


Cellebrite Inspector includes several disk and partition editing and recovery features. An 
examiner may specify sector size, edit or define hidden or missing partition parameters, import a 
partition as unallocated space, and create an .iso disk image file from a partition. 


As outlined in the Adding Evidence to a Case topic, begin the process for adding any of these 
evidence items to a case. 


e Disk Image: Add a forensically acquired or virtual disk image (DMG, DD, VMDK, E01, Ex01, 
L01, S01, AFF4) 

e Selected Image File: Add the selected image file or virtual machine file located in a 
Component list device [available only when an image file or VM file is selected] 

e Encrypted iOS Disk Image: Add a forensically acquired third-party iOS disk image with 
proprietary encryption enabled [such as Lantern Lite, etc.) 

e Other Attached Device: Add a mounted device such as a .dmg image, a Time Machine / Time 
Capsule image, an external FireWire or USB drive, or a mounted .E01 file (EWMounter]) 


Manually Setting Disk Sector Size 


In the Add Evidence window, open the context menu from the selected disk or partition, and then 
click Set Disk Sector Size. The Disk Sector Size window appears. In the Sector Size field, type the 
appropriate sector size and click Set. Inspector applies the new sector size. 


Editing a Partition 


To recover a deleted or missing partition, in the Add Evidence window open the context menu 
from a disk or partition, and then click Edit Partitions. The Partition Editor window appears. 


Partition Editor 


Name First Sector Last Sector Highlight Sector: 0 

Apple 1 63 

disk image 64 400063 (9000000: | 4552 0200 0006 1ACO 0000 0000 0000 
202000E: | 2000 2000 2000 0000 0000 0000 2000 
000001C: | 2000 2000 2000 0000 0000 0000 0000 
002002A: 0000 0000 0000 0000 0000 2000 0000 
| 0000038: | 2000 2000 000 0000 0020 2000 2000 
0000046: 2000 2000 2000 2000 0000 0000 2000 
0000054: 2000 2000 2000 2000 0000 0000 2000 
| 0000062: | 2000 2000 0000 0000 000 0000 2000 
2020070: | 2000 2000 2000 0000 0000 0000 2000 
| 000007E: | 2000 2000 0000 0000 000 2000 2000 
900008C: | 2000 2000 OOO 2000 0000 0000 000 
| 020094: | 2000 2000 0000 0000 AGOA 2200 2000 
| 00000AB: ` 2000 2000 0000 0000 AGOA 2000 2000 
2000086: | 000A 0000 2000 2000 0000 0000 0000 
90200C4: | 2000 0000 2000 0000 0000 0000 0000 
| 020002: ` 2000 2000 0000 0000 0200 2000 2000 
|@0002E: 2200 0000 o000 2000 aoao 0000 2000 
Q0220EE: | 2000 2000 2000 0000 0000 0000 2000 
20220FC: | 2200 2000 2000 OOOO 0000 0000 000 
900010A: | 0000 0000 2000 2000 0000 0000 2000 
|0000118: | eee 000a 0800 eo0e eaga 0000 000 


Cancel 


To change an existing partition’s definition, on the left side of the Partition Editor window under 
the First Sector and/or Last Sector column, double-click the partition’s current sector definition. 
An editable text box appears. Type the desired sector definition and click anywhere in the 
Partition Editor window to escape the text box. The new first and last sector definition displays. 


To highlight a specific sector, at the top of the Partition Editor window in the Highlight Sector field, 
type a sector number. Inspector jumps to the chosen sector and highlights the entire sector in 
yellow. 
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Defining a Deleted or Missing Partition 


To define a deleted or hidden partition, in the lower left corner of the Partition Editor window, 
click + (add). A New Partition <partition #> entry appears in the partition list. To define the new 
partition’s first and last sectors, under the First Sector and Last Sector column, double-click on 
the zero. An editable text box appears. Type the desired sector definition and click anywhere in 
the window to escape the text box. The new partition’s first and last sector definition displays. 


To remove an existing partition, select a partition from the partition list and in the lower left 
corner of the Partition Editor window, click - (remove). The partition is removed from the partition 
list. Once all partition definitions are as desired, in the lower right corner of the Partition Editor 
window, click Apply. Inspector applies the new partition definitions. 


Importing or Processing a Drive or Partition as Unallocated Space 


When an item is selected in the left pane of the Add Evidence window, all its partitions are 
displayed in the middle pane. Partitions with recognized file systems that can be imported into 
Inspector are displayed with a checkbox to allow selection. However, any partition, whether it has 
a checkbox or not, may be imported as unallocated. Open the context menu from the partition 
and select Import Partition as Unallocated. Select Custom in the right pane and Carve Unallocated 
becomes an available option. 


Attached disks in the left pane can also be imported as unallocated in the same fashion. From 
the context menu, select Import as Unallocated. 


In the Add Evidence window, mark the checkbox for Carve Unallocated and click its corresponding 
ellipsis button to specify the unallocated file types to include in the recovery. 


Note: If you open the context menu from a partition that is currently set for adding to the case as 
unallocated, Import Partition Normally is an available option in the context menu. 


Creating an .iso Disk Image from a Partition 


If a disk image partition contains an unsupported file system format [such as ZFS], you may 
create an .iso image from the partition and examine it with a third-party forensic analysis tool. In 
the Add Evidence window, open the context menu from a partition and select Create ISO from 
Partition. The Creating ISO window appears. 


In the Start Sector and Sector Count fields, define the partition start sector and the partition’s total 
sector count, respectively. 


To determine the number of sectors in a partition if the number is unknown, click Cancel to 
dismiss the Creating ISO window. In the Add Evidence window, open the context menu for a disk 
or partition and click Edit Partitions. The Partition Editor window appears. Locate the partition in 
the partition list, and subtract the number in the First Sector column from the number in the 
Last Sector column and add one. The resulting number is the partition’s total sector count. In 
the Add Evidence window, open the context menu from a partition and click Create ISO from 
Partition. The Creating ISO window appears. 


In the Start Sector and Sector Count fields, define the partition start sector and the number of 
sectors in the partition, respectively. To create the .iso disk image file, click Start. Provide a 
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name and destination location for the new .iso disk image and click Save. The .iso disk image is 
saved. 


File Entropy 


With Cellebrite Inspector, you can calculate byte stream entropy per file, which can aid in 
discerning between items that are more likely to be encrypted versus those which are not. 
Entropy values range from 0 to 1, with values closer to 1 denoting items that are more likely to 
be encrypted. 


You can process file entropy when adding an evidence item to a case. In Processing Options, 
mark the checkbox for Calculate File Entropy before you click OK. 
Processing Options: 
E Bennett-Computer-200520.£01 (ImageFile) 
O Preview O Triage O Comprehensive 
[Z Extract Data e 
MIDB Recovery 


M File Signature Analysis 


[E] Picture Analysis IS 


[A Video Analysis Ez 
(Process Archives 


[C Process OCR Image Text 


[E] Calculate Hashes ee 


Identify Known Files A 


M File Carving 
[File System Journal Analysis 
C Spotlight Parsing 
(105 Event / Security Logs 
(Smart Indexing 
C Content Search (Bulk extraction) 
(Mail Parsing 
C Activity Correlation 
iCloud Backups 
[Z Hiberfil.sys / Pagefile.sys 
@ Quick Scan O Deep Scan 


C1 Calculate File Entropy 


| Manage Passwords... 


No Templates S 


File entropy may also be processed after adding the evidence item to a case. Select an evidence 
item under Evidence Status in the Component list and click Run (or Rerun) next to Entropy. 
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Entropy is available as a sortable column for display in the Browser and File Filter views. 


E > Root 
Name 


> f 2015-11-24-074337 


_] .mtm.private.plist 

> E .Spotlight-v100 

> (net 

> (home 

v E fseventsd 
_) fseventsd-uuid 
| fe00759583d7a73a 
_| fe0075957efb89e0 
` 00000000004b24c2 
_| fe0075957ee0f43a 
| 00000000004b667e 
_| 00000000004a6982 
| 00000000007 3f6fa 
_) fc007595841 baf4f 
| fc007595842ba37c 
_| fc007595842a44e7 
_| fc00759583f7c3de 
_ | fc007595841c5808 
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Entropy 


0.68336509518773 


0.46044279530415 
0.61962065309746 
0.62415171806813 
0.62681106787096 
0.62744119175234 
0.62811936120954 
0.63169078978097 
0.63472945272711 
0.64976405479731 
0.65383466324866 
0.65517257562704 
0.65589578060977 
0.65798503824144 


File entropy is also available as an individual file filter in the File Filter view. 


w ie 


Browser File Filter 


All 


E File Entropy 


< v High (> 0.8) ` 


Medium (0.5 - 0.8) 
Low (< 0.5) 


-| Invert Filter ~ | Ignore Folu 


The File Entropy filter has these option modifiers. 


e High (> 0.8) 
e Medium (0.5 - 0.8) 
e Low (< 0.5) 
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The Timeline view lets you access more information from one place. It responds quickly, even 
with many items in a case file, and allows you to easily focus on all activity during a time period 
you specify. You can see and sort by all timestamps for each artifact in the Timeline view. You 
can also see the file path, so you can easily view the file in the File Browser view and investigate 
further. You can tag items in the Timeline view just as you would In other views within Inspector. 


To open the Timeline view, click Timeline in the toolbar. 
This chapter provides these topics about the Timeline view. 


e Time Scale 

e Artifacts in Timeline 

e Timeline Details 

e Additional Timeline Features 


Time Scale 


To open the Timeline view, click Timeline in the toolbar. 


The time scale is the main navigation and display area for the time period currently in view. By 
default, the time scale centers its visible date range on the years between 1990 and 2024. You 
can move the visible timeframe, and thus changes the time period being viewed and the artifacts 
listed in the artifacts section. The scale cannot be moved to a date before 1900, nor can it be 
moved to a date more than 20 years after the current date. These are the control buttons for 
timeline navigation. 


e ?, in the top left, is interactive help for the timeline. 

e +, tothe right of the help button, zooms in on the timeline. 

e - below the + button, zooms out on the timeline. 

e <>, below the help button, returns to the original view if you are zoomed in or out too far. 

e Two buttons on either edge of the timeline scroll the time view left or right. You can also use 
your mouse to click and drag the time scale left or right. 


As you move the mouse along the histogram area, a thin grey line shows where in the timeline 
the current navigation is, and a corresponding date and time appears to the left of the navigation 
buttons. 


E Im Im E 


n-o 7:63:00 (ure) (2 )| +] V 
bo for Jaz a3 [94 |95 | l9 Į 99 Joo Jor [oz jos fos Jos Jos Jor jos Joo jo ir pz pa ps ps pe p7 pes po jæ ja faz jz fos [25 [26 Jar 28 ba 


OE) 


d 
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You are notified if the time scale moves to a time where no data is visible. In the extreme 
example below, the date range visible in the time scale is between 1925 and 1949, and there are 
no artifacts during the time period. The help shows that you need to zoom out and change the 
date range to see any artifacts. 
1928-09-11 07:56:47 (UTC) OLN hoat |1940s 
Cias 27 [28 bs Jan [s1 |32 Jm |a bs Je |37 as be jao jar [42 jas jaa |as Je Je jas Jas 


ALL 


Zoom Out To See Counts 


Artifacts in Timeline 


To open the Timeline view, click Timeline in the toolbar. 


Below the time scale, you can see where artifacts fall within the timeline. A histogram shows 
where the most artifact activity falls within the visible date range. The larger the histogram, the 
more data that exists for that period. 


In addition to all the artifacts in the case, the Timeline view shows categories for the artifacts. All 
categories show by default; you can hide any of them as appropriate. These categories are the 
same you See in the Inspector case. As you move the mouse along the histogram area, a thin 
grey line shows where in the timeline the current navigation is. 


The categories list to the left of the histogram area does not move when you change the time 
scale. This helps you stay oriented when viewing artifacts over time. It does update to show 
category information for the time period currently selected. To see more details for a specific 
time, you can click and drag left or right to highlight the timeframe that needs to be zoomed in 
on. 


2012-10-31 14:18:06 (EET) + [1990s |2000s |2010s [2020s 
vu — || [90 [91 [92 |93 |94 |95 |96 |97 |98 |99 Joo o Jo Jos oa Jos os oz Jos Jos ho |n [12 [13 |14 [15 |16 |17 [18 |19 |20 |21 |22 |23 |24 |25 |26 |27 |28 |29 


Aut Daag Vu. cece tee «tment 
Message (1148) Ss TH MOE, £apftrbt ot ——ecëtepclen - Beat 
a ba im s sotki nina (ta, A 


Cache (4494) D EIER 


Cookie (5713) ` a ba Hp et Lt ites (pd h 


The size of the yellow highlight is proportional to how far it is dragged left or right. This in turn 
defines the zoom level. In the example above, the period selected is from mid-2010 through the 
end of 2012. This zooms in the scale and the artifacts histogram to show the months between 
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mid-2010 through 2012. If you make an even smaller selection, you can zoom in to the level of 
dates and times. 


?)| + Ion |2012 
n= ‘, le bb fro fa h2 h f2 fs fa $$ P bb fo m h2 h f2 [3s ja [5 |e PJ Ja fro f 
ALL (24-0), E äis, - - vc kacht e a a ttn - bn: tote oes al on anes cot costes E mée mnha $ Lt A 
Files (224K) .. eat oo O E ball vi A. e EE S Wat - bm none ein = ote on br con T E fee tele ams mach $ Let Ls dl 1 be at | 
Y Communication (283) tear, z ae = D 
Call (4) 
Message (279) 1. 
Y Internet (973) eoe mt- L 1 1 
Bookmark (3) 
Cookie (834) qs Di 1 1 D 
Downloads 191 
History (129) "a 
Top Sites (3) 
¥ Productivity en = 
Calendar (33) EI 
Note Ia 


Timeline Details 


To see the Timeline view, click Timeline in the toolbar. 


When you select one or more artifact categories from the list to the left of the timeline 
histogram, the details list shows information about each corresponding artifact within the time 
period shown. When you select an item in the details list, you can see more information in the 
File Content view. In this example, the Message category was selected. 


Treated GES 
ESCH 


Stop (sopsion, 


2010-12-01 174042 UTO Sel bennett Sel 


sings Bier (Sms (Location A aco 
70 ec «9|73 74 at 30/04 00 
STER 


When the Files category is selected, the details view shows more dates. When you click any date 
column for a specific file artifact in the details view, the corresponding point in the timeline is 
identified with a view line. Additional view lines indicate additional dates in the timeline for that 
same file artifact. 


EZE bom, og 20205, 
( f 
vu — lag Jer [92 [93 oe [95 o |97 [98 en Joo Jor Joz os Joa jos fos le [os Jos jo Ja je ba ba be he bz ja {19 |20 far |22 |23 be |25 |26 |27 |28 |29 
AES (es) Kl ttt ost lUw NANNAN ataoa 
a Ss eee nL 


Henan nl tee «tet 


internet ma 
Bookmark Im 
cache taana) 
Cookie (5713) 
Downloads (58) 
Forms Im 
History (593) 


Typo Croated — Modifiod Changed Accessed 
1998-03-25 13:00:40 (UT... 1998-03-25 13:00:40 (UT... 2019-10-08 16:10:50 (UTC) 1998-03-26 13:00:40 (UT. 
1998-03-25 13:00:40 (UT... 1998-03-25 13:00:40 (UT... 2019-10-08 16:10:50 (UTC) 1998-03-26 13:00:40 (UT. 


015-1 
2019-10-08 16:12:22 (UTC) 1999-04 


To zoom in on the timeline to a specific timestamp for an item, select the specific timestamp for 
that item in the details list, open the context menu, and click Reveal > Reveal <timestamp> in 
Timeline. This lets you quickly see what other activities may have occurred in proximity to that 
activity on the timeline. 
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Additional Timeline Features 


To see the Timeline view, click Timeline in the toolbar. 


To see artifacts from the details view of the timeline in their native view of Inspector, open the 
context menu for the artifact, then click Reveal > Item in Native View. The view then redirects to 
the appropriate location with the selected artifact highlighted. 


Conversely, to see where a piece of evidence lies in correlation with other items in the Timeline 
view, open the context menu for that item, and then click Reveal > Reveal <Item Name> in 
Timeline, where <Item Name> is the name of the selected item. 


ore t 
Si Cellebrite 159 


Version 10.5 Browser View 


Browser View 


In Cellebrite Inspector, the Browser view lets you navigate a device or device partition file system 
similar to using Finder on a Mac computer or File Explorer on a Windows computer. 


In the Component list, select a device or device partition, and on the toolbar, click Browser. In the 
Content view, expand a folder to see a hierarchical file list. Collapse the folder and the 
hierarchical list is hidden. Double-click on a folder to display only the contents of that folder. 


EA inspector Case inspector 


Date Modified 


) 2015-06-11 22:96:40 (UTC) 


v BL soorcawe 
BB © soorcame (Act 
@ P Cem vse 


App bom 


v activity 
2010-10-08 16:10:58 (UTC) 200 


2019-08-24 2212619 (UTC) 20V 


Evidence status ) 
JTC) 2019-10-08 18:10:34 (UTC) 2019-10-08 16:10:84 (UTC) 


$ Export Status 2019-08-24 22:20:44 (UTC) 


TC) 2020-04-14 16:57:47 (UTC) 2020-04-14 18:48:34 (UTC) 


Taos 2019-10-08 16:10:56 (UTC) 10-08 16:10:56 (UTC) 


CONTENT SEARCHES 
INDEX SEARCHES 


INVESTIGATIVE NOTES 


2019-09-29 20:28:20 (UTC) 2020-04-14 16:64:05 (UTC) 2020-05-08 20:52:47 (UTC) 


2019-09-29 20:23:29 (UTC) 2020-04-14 15:64:06 (UTC) 2020-05-08 20:52:47 (UTC) 2 


(1of6) ~ Racer -Data 


You can quickly show or hide all folders within the parent folder. On a Mac computer, press OPT, 
and on a Windows computer press ALT while you click to expand two levels of child folders, or 
close all folders within the parent folder. 


The Browser view displays file timestamps, sizes, extensions, and hash values. Select a column 
heading to sort files by the column attribute. To calculate and display folder size [including folder 
contents), right-click or CTRL+click on the folder and select Calculate Size from the contextual 
menu. Inspector calculates the folder size and displays results in the Size column. You may 
calculate folder size for the root-level folder or any folder in the file system. 


To search folder contents, right-click or CTRL+click on a folder and select Search Contents from 
the contextual menu. Inspector switches to the Search view. The folder search path is 
automatically added to the search partition list and selected. For more information, see Search. 


At the top of the Content pane on the navigation bar, select the tabs to move to that location on 
the filesystem. Or use the arrows to the left of the tabs to go back to the previous location or 
forward to the most recent location. These arrows function as a historical navigation, not as a 
simple back and forward in file hierarchy. 


<4 EN Root racer Users josh 


The highlighted tab indicates your current location within the directory structure. 


Select a file and at the top of the File Content view, scroll through Hex, Strings, Preview, 
Metadata, and Record to view file content in various ways. If a file has geolocation data, click 
Location to see a map displaying the file's GPS coordinates. For Mac computers only, you can 
click Quick Look {eye button) or press SPACEBAR to see the file rendered in a similar manner as 
the file’s native creator application. For more information, see File Content View. 


In the Component list, select a previously processed unallocated [carved file) partition. A list of 
files recovered from unallocated space appears. 
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Working with Columns 


To change the visible columns settings, click View > Adjust List Columns. You can show or hide 
each item in the list marking or unmarking its checkbox. You can also reorder items in this list 
by dragging and dropping each item in the list to the appropriate order. When you have finished 
making changes, click Apply Changes. The columns now appear in the specified order. 


To return columns to the way they were displayed by default, click View > Adjust List Columns. 
Click Reset List to Defaults, then click Apply Changes. 


When you export data using the Export Selected Rows feature, Inspector only exports the data in 
the displayed columns; data in the hidden (unmarked) columns is not exported. 


The exception to this rule is the Contacts sub-view in the Communication. From this sub-view, 
all fields of the contact data, including those seen in the right pane, are included in exports. 


In most views that contain columns, clicking on a column header toggles between sorting by that 
column in ascending or descending order. A single arrow in the column header denotes a 
primary sort, as well as indicating the direction (up for ascending or down for descending). You 
can add a secondary sort by pressing SHIFT while you click a second column header. A set of 
double arrows denote a secondary sort. You can remove a secondary sort by clicking a column of 


choice for primary sorting. 
Date Modified a y 
2014-03-24 14:50:47 (UTC) 


Date Accessed 
2017-11-29 18:50:15 (UTC) 


2015-06-11 22:36:40 (UTC) 
2015-06-11 22:55:04 (UTC) 
2015-06-11 22:55:11 (UTC) 

2015-06-11 22:55:11 (UTC) 

2015-06-11 23:46:27 (UTC) 
2017-11-30 13:11:01 (UTC) 

2016-06-24 10:51:10 (UTC) 
2016-10-26 14:13:53 (UTC) 
2017-09-01 01:09:23 (UTC) 
2017-10-03 00:36:27 (UTC) 


2015-06-11 22:36:40 (UTC) 
2015-06-11 22:55:04 (UTC) 
2015-06-11 22:55:11 (UTC) 
2015-06-11 22:55:11 (UTC) 
2016-12-08 14:48:33 (UTC) 
2016-12-08 14:48:33 (UTC) 
2016-06-24 10:51:10 (UTC) 
2016-10-26 14:13:53 (UTC) 
2017-09-01 01:09:23 (UTC) 
2017-10-03 00:36:27 (UTC) 


Type-Down in List Views 


In views that are based on list boxes, such as the Browser view, Communications views and so 
forth, you can type a letter (such as C), to immediately see the first item that begins with the 
letter C. If there is a secondary sort, the action is done only on the primary column. 
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Special Fonts and Icons in Browser View 


Name 
v Se Temporary Internet Files 
v (@Content.IE5 
E container.dat 
> (gj FSPMEXNZ 
> {Í Q4GFJBB7 
>  TA7C8ZSV 
v LG ZDO5JXM7 


comment-delete-normal[1] 
“ Current _BD_affiliates_wetabs_8[1].txt 


== favicon[1].ico 


For NTFS and FAT volumes, Inspector scans the MFT for records of files and folders that no 
longer exist in the active file system. 


Files and folders with sectors on disk that still contain data are shown in red /talic font in the 
Browser view, indicating the file or folder was deleted but the space it was occupying has not yet 
been overwritten. 


Files and folders with sectors on disk that are empty or that belong to another file are shown in 
graystrikethreugh font, indicating the file was deleted and the space has been overwritten. 


Gray font without strikethrough denotes that a file or folder has a hidden attribute set by the 
operating system. This means the file or folder is hidden from a user during regular browsing. 


For Windows volumes, Inspector shows an ADS icon for a file with an alternate data stream. 


Volume Shadow Copies 


Volume Shadow Copy (VSC) data from Windows Vista to present is parsed in Inspector. VSC 
allows users to create a snapshot backup of their system. From a forensic standpoint, these 
backups may be important because they may contain files that the user believes was deleted. 
Also, VSC offers a means of saving versions of a file. Comparing file versions between the active 
file system and VSCs may reveal items changed between backups. Using Inspector, you can 
review the contents of VSCs in multiple ways, including viewing them within the same file paths 
as seen on the original user's computer. 


For Windows volumes, Inspector displays a VSC version of a file with a VSC icon. For example, 
the upper file is the version from the active file system, while the lower file is a version from a 
Volume Shadow Copy. 


$LogFile 
EI $LogFile 
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In either the Browser view or File Filter view, double-click any file that is, or has, a Volume 
Shadow Copy version, and a separate File History window appears. In this window all Volume 
Shadow Copy versions of a file can be further analyzed. 


<> [Reet 
Name Date Created Date Modified Date Accessed Date Added Versions Version Index Size Extension 
Y (Records 2015-07-21 (UTC) (2015-11-24 (UTC) 2015-11-24 (UTC) == 
T record (2).xis 2015-07-21 (UTC) 2015-11-11 (UTC) 2015-07-21 (UTC) 9.5KB xis 
T record.xis 2015-06-12 (UTC) 2015-11-24 (UTC) 2015-06-12 (UTC) t 10.0 KB xis 
ze (Grecord.xis 2015-06-12 (UTC) 2015-11-23 (UTC) 2015-06-12 (UTC) 1 10.0KB xis 
CET? File History 
VSC Creation Date VSC Index Volume Shadow GUID Name Path MD5 
o record.xis [Users/josh/Documents/Records/re... 3EB6BE39E624DC55B4BAL 


2015-11-24 (UTC) 1 {e33ab2bc-752b-46f3-8504- EXEN /Users/josh/Documents/Records/re... 


` Su Sne Bro: Seen ie Aren \ owm B fj 
Sh mee Sheeni Sheet? shes l 
Sheet1 
Part [Location Price [Status l] 
[Mustang AB 2012 |GG-shop 250k 1 
[BMW Wheel x4 INT-garage 1200| 
IM Badge Miss ES 
bad sys VW 2013 [Miss 4110new 
lexhaust TSX 2010 INT-garage 300] 


In the Browser view, files that exist in a Volume Shadow Copy but not in the parent volume are 


shown in red-strikethrough-ttalie font, indicating the file was deleted from the active file system 
but a version remains in one or more Volume Shadow Copies. 


Name 


Vv | )workingcopy 
= audi-b8-a4-a5-black-trunk-emblem-4.jpg 
= bmwtires.jpg 
=I golf-r-19-inch-alloy-glr4037-2.jpg 
=I borsche_912_1966_hood.jpg 


@ Thumbs.db 
= wheels.jpg 
[Q ock-Biti-wheets-doc# 
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To see only a single Volume Shadow Copy’s data, select the desired Volume Shadow Copy in the 
Component list. 


v EC Bootcamp 
Kid BOOTCAMP (Active) 
©) BOOTCAMP (VSC 1) 


When viewing a specific Volume Shadow copy, only Internet data, media, communications, 
Actionable Intel view data, etc. related to that Volume Shadow Copy are seen in the various views 
in Cellebrite Inspector. For more information, see these topics: 


e Content Keyword Searches 
e Individual File Filter Options 


164 


March 2022 


Cellebrite Inspector User Guide 


This chapter provides these topics about file filters in Cellebrite Inspector. 


e Individual File Filter Options 


e Using File Filters 


Filtering within Specific Views 


Locating Live Victims 


The File Filter view and the Search features isolate information in a data set. The File Filter view 
isolates information by file attribute, such as file type and creation date. In contrast, the Content 
Search feature isolates information according to file content, such as alphanumeric keywords or 
regular expressions (RegEx). The Index Search feature isolates information based on information 


stored in the smart index. 


File filtering is the quickest way to isolate data in a large data set. 


EVIDENCE 


a own 
P Evidence status 
$ Export Status 


E INDEX SEARCHES 


©, Newindee Search 


Field Value 
Bomb: 94788 
Däer, 406474 


Comp, JPG 


20210304.231045-Sabde03 (1 of 37417) - /Racs ah Library/Appication Suppert/ MobileSyne/Backup/25cczObIf#7c020500Saf05e0342693560564-20150814-100117/Sb4ae605icaGH4EDeDeSebSeD5b EH 


© A D bennett-computer-20.. 


CONTENT SEARCHES 2015-04-14 41:9 (UTC) 2015-04-14 14:01:19 (UTC) 2017-08-04 13:4433 (UTC) 2015-06-11 233000 (UTCI 


2015-04-14 14:01:02 (UTC) 2015-04-14 14:01:02 (UTC) 2017-08-04 13:4343 (UTC) 2015-06-11 2320:52 (UTC) 


Name: 9b4aa6061ca6fá6cesese 
Path: /Usersfjosh/Library/Ap 


Date Creat. me waaminnn 
< > 


Date Created Date Modified Date Accessed Date Added 
2015-04-14 14:01:04 (UTC) 2015-04-14 14:01:04 (UTC) 2017-08-04 13:42:47 (UTC) 2015-06-11 2320:53 (UTC) 
2015-04-14 14:01:02 (UTC) 2015-04-14 14:01:02 (UTC) 2017-08-04 13:42:44 (UTC) 2015-06-11 2320:53 (UTC) 
2015-04-14 14:01:08 (UTC) 2015-04-14 14:01:08 (UTC) 2017-08-04 13:43:59 (UTC) 2015-06-11 2320:55 (UTC) 
2015-04-14 14:00:56 (UTC) 2015-04-14 14:00:56 (UTC) 2017-08-04 13:4226 (UTC) 2015-06-11 2320:50 (UTC) 
2015-04-14 14:01:10 (UTC) 2015-04-14 14:01:10 (UTC) [2017-0804 134409 (UTC) 2015-06-11 2329:56 (UTC) 


No 


2015-04-14 14:00:54 (UTC) 2015-04-14 14:00:54 (UTC) 2017-08-04 13:43:13 (UTC) 2015-06-11 2320:48 (UTC) 


Director 
No 

No 

Ne 

No 

No 

No 

Ne 

No 

No 


FRET EE 
EET] EE 


y || 2015-04-14 14:01:20 (UTC) 2015-04-14 14:01:20 (UTC) 2017-08-04 13:4437 (UTC) 2015-06-11 2330:01 (UTC) 


DI ~ dp (group) | 
t Kind — [cures Ai S ra 
[Date Created ©) lisafter © U 1/2013 ~ Be Cal 


Duer Fiter ignore Folders and Duplicate Files Reset.. | ` Save This Fiter 


o [Locked ` mei" 


Hex Strings “Preview Metadata @ Location A Record Dette | 


Inspector has these built-in filter options. 


Filter Descriptio 


List All Files 


Display all files on selected device 


Content Extension 


Name Filter files by name 

Path Filter files in a named directory (folder) 

Kind Filter by genus or category 

Extension Filter by file type based on extension [.doc, .txt, .jpg) 


Filter by file type based on header information 


Extension Matching * 


Filter by file type based on header and extension information 


Tagged State 


Filter files that are tagged or not tagged 


Tag Name 


Filter files by Tag Name 


Size 


Filter by file size 
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File Filters 


Filter Description 


Owner Filter by owner 
Group Filter by group 
Permission Filter by permissions 


Date Created 


Filter by creation date 


Date Modified 


Filter by date modified 


Date Accessed 


Filter by last access date 


Date Added 


Filter by date added 


Inspector ID 
File System ID 
Hash Set 


Filter by the record ID stored within the casefile database 
Filter by the HFS catalog [node ID) / MFT ID number 


Filter files with known hash values 


Hash Set Category 


Filter files based on hash set category 


File Hash 


Filter files based on a specific hash set 


List Duplicate Files 


Filter the duplicate files by hash 


File Entropy 


Filter by file entropy value 


Soft Link Path 


Filter by soft link path 


Hard Link Target ID 


Filter by Hard Link Target ID used for Time Machine backups 


Directory 


Filter by directory 


Locked 
Resource Fork 


Alternate Data 
Stream 


Filter files with a locked flag 
Filter files that have a resource fork 


Filter files that have an alternate data stream 


Visibility 


Filter hidden or visible files 


iOS Hidden Item 


Filter iOS hidden items 


Metadata Field 


Filter on the metadata attribute field 


Metadata Value 


Filter on the metadata attribute value 


Metadata Field Value 


Filter simultaneously on metadata attribute field and value 


Spotlight Field 


Filter on the spotlight attribute field 


Spotlight Value 


Filter on the spotlight attribute value 


Spotlight Field Value 
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Filter Description 


Internal Filter F 


lter for displaying custom SQL from the details view 


Snapshot / VSC Fi 


Uer files that have a Snapshot or Volume Shadow Copy version 


OCR Image Text 
recognition [OCR] 


Filter by image files with text obtained by processing optical character 


Classification F 


lter by classification. For more information, see Classification. 


* A file extension is easily modified. A file header is more difficult to modify. 


Each primary filter option in Cellebrite Inspector has additional modifiers that allow you to 
further refine filter results. For more information, see Individual File Filter Options. 


Individual File Filter Options 


You may use any of these file filter options on individual files within a case in Cellebrite 


Inspector. 

e List All Files 
e Name 

e Path 

e Kind 


e Extension 
e Content Extension 
e Extension Matching 


e Tagged State 


e Jag Name 
e Size 

e Owner 

e Group 


e Permission 
e Dates Created, Modified, Accessed, and 


Added 


e Inspector ID 
e File System ID 


e Hash Set 
e Hash Set Category 
e File Hash 
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List Duplicate Files 
File Entropy 

Soft Link Path 

Hard Link Target ID 
Directory 

Locked 

Resource Fork 
Alternate Data Stream 
Visibility 

iOS Hidden Item 
Metadata Field 
Metadata Value 
Metadata Field Value 
Spotlight Field 
Spotlight Value 
Spotlight Field Value 
Internal Filter 
Snapshot (APFS) / Volume Shadow Copy 
(INTES) 

OCR Image Text 
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List All Files 


While the List All Files filter may take time to complete, it can be useful. For example, you can 
sort all files by ID, or by file type [content extension). The latter groups all known files together 
based on their file signature. During the sort process, a progress bar appears in the middle of 
the Case Manager window. 


The File Filter displays up to 20 columns. 


e Tagged State 

e Evidence ID 

e BLID - The reference ID of a given file or folder within Inspector's casefile database 
e FSID - The filesystem ID parsed from the file record 


e Name 
e Size - Logical size 
e MD5 


e Date Created 

e Date Modified 

e Date Accessed 

e Date Added 

e Version Index 

e Extension - File extension stored in file system 

e Content Extension - Displays the extension based on content header [file signature] 
e Path 

e Directory 

e Locked - Displays locked/unlocked status [for example, read-only] 
e Visible - Displays hidden/visible status 


e Category 
e SHA1 

e SHA256 
e Entropy 


Right-click or press CTRL while you click anywhere in the Content pane. Click Action > Save File 
Listing. This saves the full file list of selected files. The time it takes depends upon the total 
number of files selected. 


You can export file listings from the Content pane to a CSV or TSV delimited text file for 
importing into a spreadsheet or database application. For more information, see Workspace 
Orientation. 
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Name 


The Name filter has five modifier options. You can simultaneously filter by more than one name 
by typing each name into the field to the right of the modifier field and separating each with a 
colon. 


e contains (default) 
e does not contain 
e starts with 

e ends with 


e is 
e isnot 
Path 


The Path filter has the same modifier options as the Name filter. However, you can filter only one 
path at a time. 


e contains (default) 
e does not contain 
e starts with 

e ends with 


e is 
e isnot 
Kind 


The Kind filter may be the most commonly used filter in Inspector. It filters files based on a 
genus or category. Use this filter to locate similar files, such as picture or document files. 


The Kind filter has 13 primary modifier options. Some of these primary modifiers have secondary 
modifier options. 


e Application (Locates application types) 


All All types below 
Mac app bundles 
Win .exe executables 


e Archives (Locates these archive file types] 


All All types below 
7z 7-zip file (.7z) 
alz ALZip Archive file (.alz} 
bz2 Burrows-Wheeler compressed file (.bz2] 
cpio Unix CPIO Archive file [.cpio) 
gz GNU compressed files Los 
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jar Java Archive file (jar) 

lzma Lempel-Ziv-Markov chain Algorithm compressed file (.lzmal] 
nsarchive object's data stored to an archive file 
pkg macOS installer package (.pkg) 

rar Roshal Archive file [.rar) 

sit Stuffit format files (sit, .sitx, and .sea] 
tar Tape archive format [.tar] 

uue Uuencoded file Luuel 

wim Windows Imaging Format file (.wim] 
XZ XZ Compressed Archive Lal 

Zip PKWare based zip file (zip) 


e Audio (Locates audio files} 
e Databases (Locates these database file types) 


All All types below 
db Database file (.db) 
sql SQL Database file [.sql) 
sqlite SQLite Database file (.sqlite] 
e Disk Images (Locates these disk image file types] 
All All types below 
aff4 Advanced Forensic File Format [.aff4] 
dmg Apple Disk Image [.dmg) 
img Macintosh Disk Image [.img] 
iso ISO-9660 standard image [.iso) 
sparsebundle Apple Sparse Bundle (.sparsebundle] 
Sparseimage Apple Sparse Image [.sparseimage] 


e Emails (Locates these types of email) 
Apple Mail .eml, .emlx 
Outlook 2011 for Mac  .olk14message, .olk14msgsource 
Outlook 2016 for Mac  .olk15message, .olk15msgsource 


Outlook for Windows .ost, .pst 


e Folder (Locates all folders and directories] 
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e iWork (Locates these iWork Office file types] 


All All types below 

Keynote iWork Keynote [presentation] files (key! 
Numbers iWork Number (spreadsheet) files (numbers) 
Pages iWork Pages [word processor) files (pages! 


e Office Documents (Locates these Microsoft Office file types) 


All All types below 

Excel Microsoft Excel files (xls, .xlsx] 
PowerPoint Microsoft PowerPoint files (.ppt, .pptx] 
Word Microsoft Word files [.doc, docx) 


e PDF {(Locates all .pdf files) 
e Pictures(Locates these picture file types) 


All All types below 

BMP bitmap raster graphics image file format [.bmp) 

GIF Graphics Interchange Format Lat! 

HEIC High Efficiency Image File Format (.HEIC) 

JPG Joint Photographic Experts Group format (jpg, .jp2, jpeg) 

KDC Bitmap image formate used by several Kodak digital cameras 
(.kdc] 

PNG Portable Network Graphics [.png) 

PSD Adobe Photoshop [.psd) 

TIFF Tagged Image File Format (tif, .tiff, .tif/tiff] 

XBM X BitMap, a plain text binary image format [.xbm] 


e Plists (Locates .plists file types] 
e Videos (Locates these video file types] 


Multimedia container format defined by the Third Generation Partnership Project (.3gp, 
.3g2) 


Audio Video Interleave [avi] 

Digital video file [.dv] 

Flash Video [flv] 

Digital multimedia container format (.m4v, .mp4] 


Quicktime file format (.mov] 
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Standard for lossy compression of video and audio [.mpeg, . mpg} 
Video Object is the container format in DVD-Video media [.vob]) 
Windows Media Video [.wmv] 


Low resolution GoPRO video files (.[rv] 


Extension 


The Extension filter has five modifier options. You can simultaneously filter by more than one file 
extension by typing each file extension into the field to the right of the modifier field, separating 
each with a colon. 


e contains (default) 
e does not contain 
e starts with 

e ends with 

e is 

e isnot 


File extensions are assigned to a file by an application or a user. On Mac computers, files may 
not have extensions, or the file extensions may not be visible. 


Content Extension 


The Content Extension filter has the same modifier options as the Extension filter. Filtering by 
Content Extension is based on file signature, rather than on the visible extension within the file 
name. You can simultaneously filter by more than one content extension by typing each into the 
field to the right of the modifier field, separating each with a colon. 


e contains (default) 
e does not contain 
e starts with 

e ends with 

e js 

e isnot 


Extension Matching 


The Extension Matching filter compares file extensions to file signatures. Use this filter to isolate 
files with extensions and signatures that match or don't match. (A user can easily modify a file 
extension, but a file signature is more difficult to modify.) 


The Extension Matching filter has two modifier options. 


e Extensions Don’t Match (default) 
e Extensions Match 
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Tagged State 
The Tagged State filter has three modifier options. 


e Tagged Files (default) 
e Untagged Files 
e Both Tagged and Untagged Files 


Tag Name 
The Tag Name filter has five modifier options. 


e contains (default) 
e does not contain 
e starts with 

e ends with 


e is 
e isnot 
Size 


The Size filter has primary and secondary modifier options. Both modifiers must be set for the 
filter to function. After modifiers are set, click Filter. 


First, choose from this list of modifiers. 


e equals 
e is less than 
e is greater than (default) 


e isnot 
e is <=to 
e is >=to 


Next, type a custom file size in the text field and choose a unit of measure. 


e Bytes 

e KB [Kilobytes] {default} 
e MB (Megabytes) 

e GB [Gigabytes] 


Owner 


The Owner filter has six modifier options. 


e equals 
e is less than 
e is greater than (default) 


e isnot 
e is <=to 
e is >=to 
eet S 
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Group 
The Group filter has six modifier options. 


e equals 
e is less than 
e is greater than (default) 


e isnot 

e is <=to 

e is >=to 
Permission 


The Permission filter has six modifier options. 


e equals 
e is less than 
e is greater than (default) 


e isnot 
e is <=to 
e is >=to 


Dates Created, Modified, Accessed, and Added 


The Date Created, Date Modified, Date Accessed, and Date Added filters have ten modifier 
options. 


e is between (default) 
e is before 


e isafter 
e is exactly 
e isnot 


e is exactly (with HH:MM] 
e is after (with HH:MM) 

e is before [with HH:MM) 

e is between [with HH:MM) 
e is not (with HH:MM) 


To the right of the date field, click the calendar icon. On the calendar, click < or >to scroll 
through the months. Or, at the top of the calendar, choose a month and year from the drop-down 
menus. Select a number to choose a day of the month. The date text field is populated, and the 
calendar closes. 


To modify the date manually, in the date field click to select a month, day, or year value, and type 
the desired numeric value into the text field. To modify the date incrementally, in the date field 
click to select a month, day, or year value. To the right of the date field, click the up or down 
arrows to Increase or decrease the date value incrementally. 


To enter a time, in the hour portion of the time field, type the hours in 24-hour format. You may 
also type the minutes from 01-59. 


Note: Time options are not available in File Filter view. 
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Inspector ID 


Inspector ID is a unique internal file identifier. It is different from the file system ID number. The 
Inspector ID number is generated during ingestion for every file. This is done because some files 
do not have a file ID (deleted files, files from archives, ingested file or folder items). Inspector 
uses this as an internal tracking system. They are only unique for the case file in which they 
reside. The filter option has six modifier options. 


e equals 
e is less than 
e is greater than (default) 


e isnot 
e is <=to 
e Iess Io 


File System ID 


The File System ID filter option has six modifier options. 


e equals 
e is less than 
e is greater than (default) 


e isnot 
e is <=to 
e is >=to 


Folders and files on a volume formatted in HFS or HFS+ are assigned a unique Catalog Node ID 
(CNID}. Using the File System ID file filter, you can search for folders and files by a specific 
Catalog Node ID, or within a Catalog Node ID numerical range. NTFS files will use the MFT ID. 


Hash Set 


The Hash Set filter supports positive and negative hash value filtering against one or more hash 
sets. For more information, see Hash Set and File Signature DB Management. This filter has two 
modifier options. 


e Files in Hash Set (default) 
e Files Not in Hash Set 


You can download hash sets from Cellebrite. Inspector can use those hash sets and import 
EnCase [6.19 and lower), NSRL (full), and text-based [one hash value per line, with each line 
separated by a carriage return) hash sets. Additionally, you can create custom hash sets from 
file hash values generated during a case examination. 


The Hash Set filter is available only after you run the Known Files processor on a device in the 
case, using one or more hash sets [bundled and custom). Each hash set you select before 
running the Known Files processor is available as a Hash Set filter option. 
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To create a positive hash filter, which isolates only files with hash values matching those in the 
chosen hash set, choose the Files in Hash Set option and select a bundled or custom hash set. 
To create a negative hash filter, which isolates only files with hash values not matching those In 
the chosen hash set, choose the File Not in Hash Set option and select a bundled or custom 
hash set. 


Hash Set Category 


The Hash Set Category filter allows for numeric filtering of file hash categories [for hash sets 
with categories, such as PhotoDNA, S21). Hash sets in Inspector can be assigned a number from 
0 through 9. The filter has six modifier options. 


e equals 
e is less than 
e is greater than (default) 


e isnot 
e is <=to 
e |s>=to 


the hash set being usec 


File Hash 


The File Hash filter has five modifier options. 


e contains (default) 
e does not contain 
e starts with 

e ends with 

e is 

e isnot 


You can filter by hash values using all characters of a hash value or by using only part of a hash 
value. You can filter data based on any of these hash values (MD5, SHA-1, or SHA-256). This filter 
only works after you run the Hashes processor on a device in the case. 

List Duplicate Files 

The List Duplicate Files filter option has no modifiers. It shows all duplicate files based on hash 
value. This filter only works after you runs the Hashes processor on a device in the case. 

File Entropy 


The File Entropy filter has three modifier options. 


e High (>0.8) 

e Medium (0.5 - 0.8) 
e Low [<0.5) 
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Soft Link Path 


You can use this filter to find soft links [symbolic links} created in macOS. The Soft Link Path 
filter has six modifier options. 


e contains (default) 
e does not contain 
e starts with 

e ends with 

e js 

e isnot 


Hard Link Target ID 


You can use filter to find files within a Time Machine backup. The Hard Link Target ID filter has 
six modifier options. 


e equals 
e is less than 
e is greater than (default) 


e isnot 

e is <=to 
e is >=to 
Directory 


The Directory filter has three modifier options. 


e Directories only 
e Files only 
e both directories and files (default] 


Locked 


The Locked filter has three modifier options. 


e Locked files only 
e Unlocked files only 
e both Locked and Unlocked files {default} 


Locked files are write-protected (read-only). A standard user can open these files and perhaps 
copy them to a different location. However, a locked file cannot (under normal circumstances) be 
modified, renamed, or deleted. 
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Resource Fork 
The Resource Fork filter has three modifier options. 


e only files with a Resource Fork 
e only files without a Resource Fork 
e files with or without a Resource Fork (default) 


In macOS, “design element” information is stored in a file’s resource fork. “Raw” information, 
such as text, is stored ina file’s data fork. 


Alternate Data Stream 
The Alternate Data Stream filter has three modifier options. 


e only files with an Alternate Data Stream 
e only files without an Alternate Data Stream 
e files with or without an Alternate Data Stream (default) 


Visibility 
The Visibility filter has three modifier options. 


e Visible files only 
e Invisible files only 
e both Visible and Invisible files (default) 


Many system files are hidden in macOS to prevent accidental user modifications. However, users 
can manually hide both folders and files by highlighting the folder or file name and typing a dot 
[.] at the beginning of the name. The Visibility filter does not include files and folders hidden by 
users in filter results. To include files and folders hidden by users in results, also use the Name 
filter modified by starts with . (dot). 


IOS Hidden Item 


The iOS Hidden Item filter has no modifiers. It shows iOS Hidden Items. 
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Metadata Field 


A Metadata Field is based on the metadata Field column seen in the File Information pane. For 
example, a metadata field could be Megapixels, Aspect Ratio, or Skin Tone. Not all files contain 
the same types of metadata. This filter isolates only files containing metadata you specify in the 
metadata field. 


The Metadata Field filter option has five modifier options. 


e contains (default) 
e does not contain 
e starts with 

e ends with 

e js 

e isnot 


You can simultaneously filter by more than one metadata item by typing each metadata item into 
the field to the right of the modifier option field and separating each item with a colon. 


Metadata Value 
The Metadata Value filter has five modifier options. 


e contains (default) 
e does not contain 
e starts with 

e ends with 

e is 

e isnot 


You can simultaneously filter by more than one metadata value by typing each value into the text 
field to the right of the modifier option field and separating each item with a colon. 


Some metadata items, such as picture aspect ratios, contain a colon in the item name [for 
example, a 4:3 aspect ratio]. In this case, the colon symbol must be "escaped" to prevent the 
filter from giving results with "4" and "3" in the metadata. To filter files by metadata values that 
have a colon, add an additional colon. For example, to filter for the aspect ratio 4:3, type 4: :3 
into the filter criteria field. 


Metadata Field Value 


The filter combines the Metadata Field filter with the Metadata Value filter. The modifier options 
listed for the Metadata Field and the Metadata Value filters are present in this combined filter. 
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Spotlight Field 


To user this filter, the Spotlight Index must be parsed in Advanced processing options. The 
Spotlight Field filter option has five modifier options. 


e contains (default) 
e does not contain 
e starts with 

e ends with 

e js 

e isnot 


Spotlight Value 


To user this filter, the Spotlight Index must be parsed in Advanced processing options. The 
Spotlight Value filter option has five modifier options. 


e contains (default) 
e does not contain 
e starts with 

e ends with 

e js 

e isnot 


Spotlight Field Value 
This filter combines the Spotlight Field filter with the Spotlight Value filter. The modifier options 
listed for the Spotlight Field and the Spotlight Value filters are present in this combined filter. 


Internal Filter 


You can select this filter when the File Filter view shows a custom SQL value from the Details 
view [for example, when double-clicking on a bar graph element in the Details - Artifacts view). 
This allows for the data to be sorted, refreshed, and further filtered. If you attempt to select the 
Internal Filter option when building a custom filter, Inspector automatically switches to the List 
All Files filter instead. 


180 


March 2022 Cellebrite Inspector User Guide 


Snapshot (APFS) / Volume Shadow Copy (NTFS) 


The Snapshot filter works on macOS computers which have the APFS file system. Volume 
Shadow copies exist on Windows NTFS filesystems. The Snapshot/Volume Shadow Copy filter 
option has four modifier options. 


nly files with changes in a Snapshot/VSC 

nly files that exist in more than one Snapshot/VSC [Active partition included] 
nly files that are unique to the Active partition or to a Snapshot/VSC 

ll files 


e o 
e o 
e o 
e a 
In either the File Filter view or the Browser view, double-click any file that is—or has—a Volume 
Shadow Copy version, and a separate File History window appears. In this window, all Volume 
Shadow Copy versions of a file can be further analyzed. 


OCR Image Text 


Optical character recognition [OCR] converts text detected in the image into plain text which can 
be indexed and then searched. This process is limited to these image types. 


e pdf 
e tiff 
e bmp 
e png 
e jpg 
e gif 


This filter has these options. 


e Only files with OCR Image Text 
e Only files without OCR Image Text 
e Files with or without OCR Image Text 


Text obtained through OCR appears on the Strings tab in the File Content view after this label: 
2K 2K KK OK OK OCR Image Text kkk OK OK OK 


You can search OCR text with an index search, but not with a content search, as OCR text does 
not exist as plain text. 
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Using File Filters 


In the Component list under Evidence, select a device. On the toolbar, click File Filter. Click + 
Condition or + Group to add a filter criteria row or group. 


This example shows a file filter to isolate all picture file types created after January 1, 2013. 


a z 

[invert Filter ignore Folders and Duplicate Files Reset... Save This Filter | [Fiter | 
Add the Kind condition and the modifier Pictures - All. Next, add the Date Created condition and the 
modifier is after, then set the date to 1/1/2013. Click Filter. The results show all .bmp, ot, .heic, 
jpg, .kdc, .png, .psd, .tiff, and .xbm picture file types, further isolated to files created after 
January 1, 2013. 


To suppress folders and file duplicates in the results, mark the Ignore Folders and Duplicate Files 
checkbox. To filter files that match the inverse of the filter criteria, mark the Invert Filter 
checkbox. 


To remove a filter criteria row or group, click X. 


Saving and Managing File Filters 


To save a file filter for later use, click Save This Filter. Type a name for the filter and click OK. 
Inspector saves the current filter settings. Saved filters appear in the Saved Filters list in the top 
right corner of the Content pane. 


Saved file filters also appear in the Inspector Search view and may be applied to further refine 
search results. For more information, see Search. 


To rename or remove a saved filter, in the top right corner of the Content pane click Saved Filters 
> Manage Saved Filters. The User Created Filters window appears. 


e Torename afilter, select the filter from the list, and then click Rename. Type a new filter 
name and click anywhere in the window to escape the text field. 

e Toremove a saved file filter, select the filter from the list, and then click Remove. 

Applying a Preset Filter or Saved File Filter 


To apply a preset filter or a saved filter, in the Saved Filters list, select the filter and then click 
Filter. 


To clear and reset the current filter settings, click Reset. 
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Filtering within Specific Views 


Several views in Cellebrite Inspector include a file filter. The filter options that are available 
depend upon which view is in use. 


The button changes in appearance such that the arrows are reversed, and a filter pane appears 
in the right portion of the Content pane. When a filter is applied, the Show/Hide Filter button is 
green. 


Raia" Gaal enter sed einen one EE SE op mal n ` app vg mm E 


Sezeegze 


To show or hide the file filter, toggle Show/Hide Filter (three arrows] at the top right of the 
Content pane. 


When Show/Hide Filter is black, no filter is applied. While at least one filter is applied, it is green. 


To create a filter for a view, to the right of Apply, click + (add). In the filter field, the default is Any. 
Choose an appropriate filter option and set the modifiers. Repeat this process to add more filter 
options. 


To remove a filter option, to the right of the filter, click - (remove). 


To remove all filters and return to showing all files, click - (remove) for each filter, then click 

Apply. 

This example shows filter options for the Messages sub-view of the Communications view. 
E Contacts email ` 27 


Match: | All fe 
+ 


Reset... Apply 


lv Any ontains - 
Attachments E 
Content 
Date 
Date Delivered 
Date Read 
Direction 
Failed 
Message ID 
Participants 
Sender 
Service 
BID 
Subject 
Deleted Record 
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Locating Live Victims 


File Filters 


Using the Cellebrite Inspector Locations and File Filter or Media File Filter features together, an 
investigator may quickly isolate picture and/or video files containing geolocation metadata with 
just a few keystrokes. The investigator may then locate additional picture and video files taken at 
the same location and/or with the same iPhone, iPad, or other camera make and model by 
applying a filter containing specific longitude and latitude coordinates, or the smart device or 


camera model name. 


Metadata Field 


Field 

Subject Area: 
Flashpix Versi... 
Color Space: 
Width: 

Height: 

Sensing Meth... 
Exposure Mode: 
White Balance: 
Scene Captur... 
Sharpness: 

GPS 


North or South... 


Latitude: 
East or West L... 
Longitude: 

Altitude Refer... 
Altitude: 

GPS time (ato... 
Reference for ... 
Direction of Im... 


Metadata Value 


(1023, 767, 614, 614] 

1. 

sRGB 

2048 

1536 

One-chip color area sen 
Auto Exposure 

Auto white balance 
Standard 

Soft 


N 

[42, 5.33, 0] 
Ww 

(87, 42.97, 0) 
Sea level 
192.27 

[18, 21, 22.65] 
True direction 
41.9 


The Inspector Metadata Field filter isolates files containing specified metadata attributes [seen 
in the above screenshot, left column). For example, choose the Metadata Field file filter to ask 
Inspector to show me all the files containing GPS, latitude, longitude, and EXIF metadata.’ 
Inspector also has a built-in filter, Geo Location, to locate data containing Geolocation 
information based on the presence of geolocation Metadata Fields. 


The Metadata Value filter isolates files containing specified metadata values [seen in the above 
screenshot, right column} such as an actual longitude or latitude coordinate or a specific camera 
make. For example, choose the Metadata Value file filter to ask Inspector to show me all the 
files containing the latitude coordinate [43, 38, 33.21].’ 


In this example, we combine a geolocation filter in the Media view, and the Metadata Value file 
filter to locate pictures taken at the same location. 


184 


March 2022 Cellebrite Inspector User Guide 


Locating Picture or Video Files Created at the Same Location 


To isolate media files containing geolocation metadata, in the Component list under Evidence 
select a device. On the toolbar, click Media. 


To isolate media files containing geolocation metadata, click Show/Hide Filter (three arrows) 
below the right side of the toolbar. 


The button changes in appearance such that the arrows are reversed, and a filter pane appears 
in the right portion of the Content pane. When a filter is applied, the Show/Hide Filter button is 
green. 


eee oe 


o o o 
aSa 


TRE RELA 


To the right of Apply, click + (add). The default filter is File Filter | is | Current File Filter. Click 
Current File Filter and select Geo Location. 


+ 

Match: All c 
Reset... Apply + 

File Filter © is c|- 
Geo Location c 


Click Apply to see only media files containing geolocation metadata. 
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File Filters 


To find media files containing the same GPS coordinates, in the Content pane select a file that 
has GPS metadata. In the bottom left corner of the Case Window in the File Information pane, 
GPS metadata values for the selected file appear in the GPS section in the Value column. Make 
note of the GPS longitude or latitude value. In this example, we use latitude [43, 38, 33.21]. 


| Field 
| White Balance: 
35mm Focal L... 
Scene Captur... 
Unknown Tagl... 
Unknown Tagl... 
Unknown Tagl... 
GPS 


North or South... 


Latitude: 


East or West L... 


Longitude: 
Altitude Refer... 
Altitude: 

GPS time (ato... 
Reference for ... 


H 
(Direction of Im... 


GPS Date: 


e 


Value 

Auto white balance 
33 

Standard 

[4.12, 4.12, 2.4, 2.4] 
Apple 

iPhone 5 back camera 


N 

[43, 38, 33.21] 
w 

[79, 23, 6.78] 
Sea level 

94.8 

[17, 57, 41] 
True direction 
329.16 
2014:02:15 


On the toolbar, click File Filter. The File Filter view appears. 


At the top of the Content pane, select the existing file filter drop-down menu and select Metadata 
Value. 


A secondary drop-down menu and text field appears. Leave contains (default) selected and in the 
text field, type the previously noted longitude or latitude coordinates: 


A 
Ki 


IL, Metadata Value 


All + condition + (group) 


43, 38, 33.21 D 


contains 


Invert Filter Ignore Folders and Duplicate Files Reset... Save This Filter 


Click Filter, and Inspector isolates files containing the defined longitude or latitude coordinates. 
On the toolbar, click Media to switch back to the Media view. To the right of the Apply button, 
click + (add). Inspector configures a second File Filter | is | Current File Filter by default. Leave 
this setting as is and click Apply. 


= 

= 

-7 

Match: All 
Reset... Apply + 

File Filter is - 
Geo Location 
File Filter is - 
Current File Filter 


Inspector applies the Metadata Value filter and displays only the pictures containing latitude [43, 
38, 33.21] metadata. 
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Mac and iPhone forensic analysts may use the same file filtering technique to isolate files taken 
by an iPhone [or any other camera type). To do so, on the toolbar click File Filter and select the 
Metadata Value filter. In the text field, type iPhone and click Filter. On the toolbar, click Media to 
switch back to the Media view. Click Apply. Inspector shows the pictures containing an iPhone 
metadata value. 


Another way to find picture or video files created at the same location is to use the Map View 
sub-view in the Locations view. On the toolbar, click Locations. With the Map View sub-view 
selected, the Content pane shows a map on which data containing geolocation information is 
plotted. 


The map itself is divided up into square regions. When a region is clicked on, it will be 
highlighted in yellow. Data from information in that square of the map is listed in the right 
section of the Content pane. 


H 
Jm 


e 


z 
3 
ecceoe| | im 
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Date Ka 
2019-08-08 013110 UTE) Picture 


2019-08-04 02:0032 (UTC) Picture 
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201908040510025 (UIC) Picture 
2010-08-04 05:048 (UTC) Picture 
201508040510348 (UTC) Picture 


1 Dex SEARCHES 


E iivesTiGaTIVE NOTES 
pew vestigate Note} 


Feld. Value 
am ae 
nien. 8503707542 
Name 6352FAA4-F225-4463-B015-34 
EE 


2019-08-04 060813 (UTC) Picture 
2019-68-04 0007:18 (UTC) Picture 


1 6eeebieeeeeeeeeege 


(20210304 231045-Sabde03 


The Type column reveals the type of data the geolocation was extracted from. Depending on the 
device, location data may be stored in various applications and system files. Pictures and Videos 
contain location data are listed with the types Picture and Video. Using the zoom slide-bar, an 
investigator can focus In on specific geographic location. After zooming in on the area of interest, 
apply a filter to display only picture and video files. Double-click on the Latitude column to sort 
the pictures and videos by location. Picture and videos taken at the same location are grouped 
together. When a file is highlighted in the Content pane, the associated data point on the map is 
changed from blue to pink. The File Content view can be used to Preview the file. 


Nome Amen 
temegen 
S21 Sadedecaotob, 
embrengen 
DE 
veier 
TE 
cmmecitde, 
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DEE 
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DS 


INDEX SEARCHES 


E IvESTIGATIVE NOTES 
New vestigate Note 1 ; 


CET VEO et 


Paih: MsesiostvPicuesCloud? | 


20210304.231045-5abde03 


Cam Fite - ROCTCADP/Uses/osh/Pitues/icloud Ser Seege IMG 50280 


Map View is an interactive interface to locate and review pictures and videos of interest taken at 
a location of interest. For more information, see Locations, Internet, and Productivity Views. 
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Sorting Media Files by Calculated Skin Percentage 


To sort filtered media files so that files with the highest calculated skin percentage appear first, 
on the toolbar click Media. 


In the top left corner of the Content pane, select the secondary drop-down menu and choose 
Calculated Skin %. 


Inspector sorts the media files, and the media file containing the highest calculated skin 
percentage appears first. This feature is quite useful if there are many media files created at the 
same location. 


Sorting Media Files by Image Analyzer Categories 


When media files are categorized by Threat Category, they can be sorted and filtered by threat 
category. To sort media files so that files with the highest calculated Threat Category value 
appear first, on the toolbar click Media. 


E EVIDENCE 


5 E E Bennett-Computer: 


5 activity 


` Email 


a ` SS 
z 


ows 
ve 525320 | 
Name: AODA2193-C117-4583-ABIC-€ 51 

Path: /Usersfjosh/Pictures/PhotosL || ‘Chet: 0.001081 

Se ren csate mm 
zemren | zeen mme 


« > le 
'20210304.231045-Sabde03 C of 65,402) - /Racer- Data/Users/jesh/Pictures/Photos Library-photoslbrary/orginsls/A/AODA2193-C1 17-4503-ABI C-6EE2BFD25CC3,heic 


In the Sort field, choose one of these threat categories. 


e Threat Category - Alcohol e Threat Category - Gambling 

e Threat Category - Chat e Threat Category - Gore 

e Threat Category - CSAM e Threat Category - ID/Credit Cards 

e Threat Category - Currency e Threat Category - Porn 

e Threat Category - Documents e Threat Category - Swim/Underwear 
e Threat Category - Drugs e Threat Category - Vehicles 

e Threat Category - Extremism e Threat Category - Weapons 


Inspector sorts the media files, and the media file containing the highest calculated percentage 
in the selected Threat Category appears first. This feature is quite useful if there are many media 
files created at the same location. Image Analyzer threat categories may be more accurate than 
skin percentage. 
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Mapping GPS Metadata Using Google Maps 


To map geolocation metadata, select a file, and at the top of the File Content view, click Location. 
If the analysis workstation is a non-networked machine, a Mercator map with red crosshairs 
representing the file's approximate longitude and latitude coordinates displays along with 
several of the file's actual geolocation metadata attributes and values Ire. latitude, longitude, 
timestamp, etc.]. 


If the analysis workstation has an Internet connection, click Show on Google Maps. A default 
browser window opens and displays (potentially) an address, a street view picture, and a satellite 
view based on the file's GPS metadata. 


Mapping GPS Metadata Using Google Earth 


Files containing GPS information can be selected, exported to a .kmz or .kml file, and mapped 
with the Google Earth application. 


1. Select file(s] containing GPS data, click Action > Export Selected Location Data As, and then 
choose either KMZ or KML format. 

2. Inthe Export dialog box, type a file name and choose or create a destination folder, and then 
click Export. 
Inspector exports the GPS data to a .kmz or .kml file in the destination folder. 

3. Open the .kmz or .kml file in Google Earth. 
Google Earth displays a pushpin for each file. Each pushpin ts also listed in the Google Earth 
sidebar Places section. 


We have now located media files that contain geolocation data, isolated the files containing the 
same GPS coordinates, sorted those results by calculated skin tone percentage, and mapped the 
results. 


Remember that media created using any camera with enabled GPS tracking features, such as 
the iPhone and iPad Location Services feature, may contain geolocation metadata. Forensic 
analysts may find geolocation artifacts on a Mac computer if the user attached the camera or 
smart device to the computer. 
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There are two types of Searches. The Content Search feature isolates information according to 
file content such as alphanumeric keywords or regular expressions. The Index Search feature 
isolates information by querying information stored in the Smart Index. Any fields or documents 
that have been indexed can be used to find information of interest. Keep in mind unallocated 
Space is not indexed. To find information in unallocated space, a Content Search must be used. 


File Filtering can be used in conjunction with Content Searches to further isolate information. 
This chapter provides these topics about searching in Cellebrite Inspector. 


e Content Keyword Searches 

e Saved Content Search Settings 

e Applying Filters toa Content Search 

e Viewing Content Search Results and Criteria 
e = Index Searching 

e Bulk Extraction Searches on Memory Files 


Content Keyword Searches 


To execute a content search, click Add next to Content Searches in the Component list. 


Y EVIDENCE 
v V E Bennett-Computer-20052... 
v) E Racer - Data 
2 Vie O Racer 
v) & © BOOTCAMP 
7 @ ©) Bennett-Mem.dmp 


7 The6 


v ACTIVITY 


E Evidence Status 


rr Export Status 


CONTENT SEARCHES 
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Inspector names each new search "New Search #" (appended with an incremental number] 
automatically. To avoid confusion, always add a unique and descriptive search name at the top of 
the Content pane in the Name field when defining new search criteria. 


Search Path Options 
£ Search: _ Content only B 
Case Sensitive 


Unicode (UTF16) 


1 Deep Search © 


Ignore Extensions. Keywords Report Only First Hit on File 


= Import Export + = Import, Export Save Search Start Search 


Once a content search is created, it is shown in the Component list under Content Searches. 
Double-click a saved search name to rename it at any time during the examination. 


Content searches can be refined to search specified areas of the media. Searches can be 
directed to specific volumes by selecting the volume where it is listed in the Content pane. By 
default, content searches are set to search from the root directory of the volume. To confine a 
search to a specific directory, type or paste the path in the Search Path field. To copy-paste a path 
name, navigate to the device in the Browser view. In the Content pane, right-click or CTRL+click 
on a folder and choose Copy Path. Click Add next to Content Searches in the Component List. In 
the Content pane to the right of the selected device name [under the Partition column), double- 
click the Search Path field and press CMD+V or CTRL+V. To the left of the selected device name 
(under the Partition column), mark the checkbox. Inspector searches the selected folder. 
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A secondary method for choosing the areas to search is to use Search Contents from the 
contextual menu. This can be done while from the Browser view. While in the Content pane, 
right-click or CTRL+click on a folder and choose Search Contents from the context menu. 


Ei P O08 H e = yY 


Case Info Details Timeline Report Share Browser File Filter 
V EVIDENCE 2 =P Racer-Data Users 
v E Bennett-Computer-20052... Name Date Created Date M 
(2 @ Racer - Data localized 2019-08-26 00:26:29 (UTC) 2019-08 
B O Raer > Guest 2015-06-11 23:45:21 (UTC) 2015-0¢ 
G O Bootcamp SI a BB Gaia 0 21:05:54 (UTC) 
e ER Bennett - Mem dmp Gm ae 23 20:45:55 (UTC) 2019-12 
D © Thes >@l p J4 13:39:49 (UTC) 2019-12 
("fe |7 17:48:22 (UTC) 2018-01 
Find.. #F 
Y ACTIVITY Kei G }6 14:14:12 (UTC) 2016-10 
E Evidence Status > B 22 00:47:54 (UTC) 2012-08 
| > Export Status FBI ` zoue pls lenge 03 20:39:07 (UTC) 2016-0: 
1 Copy Path 92 18:32:45 (UTC) 2020-0! 
TAGS 1 Quick Look SL l6 16:42:10 (UTC) 2009-17 
TS okie (7 17:48:22 (UTC) 2018-01 
CONTENT SEARCHES > @« Export » 16 17:35:11 (UTC) 2017-02 
Reveal > 20 23:04:57 (UTC) 2020-0! 
Y INDEX SEARCHES > A Tag Files As p 7 15:44:53 (UTC) 2015-12 
Kä walking dead SL 27 13:38:13 (UTC) 2020-0! 


Calculate Size 


KE ` Search Contents... 24 14:50:05 (UTC) 2014-0: 


INVESTIGATIVE NOTES > Ge Expand Archive (josh) 19 01:01:24 (UTC) 2020-0! 
op Extract OCR Image Text (josh) ` we gr:o1:24 (UTC) 2020-0! 
p Add Selected... 
(IT ees weve ve 19 01:01:24 (UTC) 2020-0! 
> [Dropbox 2012-08-21 23:04:06 (UTC) 2016-12 


A new search window opens with the appropriate partition and search path checkbox selected. 


Partition Search Path 
__EFl on Bennett-Computer-190305.E01 L 
_ Preboot on Bennett-Computer-190305.E01 I 
~) Recovery on Bennett-Computer-190305.E01 I 
C VM on Bennett-Computer-190305.E01 t 
~ BOOTCAMP on Bennett-Computer-190305.E01 / 


To search the entire device, leave the Search Path field as it appears with just /. If a path name is 
incorrectly entered into a Search Path field or if the typed path does not exist in the file system, a 
red error badge (!) appears next to the field. Once a valid path name is correctly entered, the 
error disappears. 


Partition Search Path 
` Josh Bennett's iPhone5 on Josh Bennett's iPhoneS / 
racer on Bennett_14-087-0301_1-Computer.dmg © (Path Invalid) /users/path 


racer - Carved Files on Bennett_14-087-0301_1-Computer.dmg 

Recovery HD on Bennett_14-087-0301_1-Computer.dmg 

Recovery HD - Carved Files on Bennett_14-087-0301_1-Computer.dmg 
~| BOOTCAMP on Bennett_14-087-0301_1-Computer.dmg 
~) BOOTCAMP - Carved Files on Bennett_14-087-0301_1-Computer.dmg 
Josh Bennett's iPhone on Josh Bennett's iPhone 3GS 


e D Dm D e 
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Adding Keywords to Content Searches 


In the Content pane at the bottom of the Keywords section, click + (add) and enter a keyword. 
Optionally, in the Content pane in the Regular Expressions section, select the Selected Keyword is 
RegEx Pattern checkbox to save the keyword as a regular expression. For example, to add the 
search term slim jim, and search for keyword occurrences with either a space or no space 
between slim and jim, add the keyword slim\s{@,1}jim. 


Activate the Selected Keyword is RegEx Pattern checkbox. The new keyword is added as a Search 
term and added to the Add Preset drop-down menu as a regular expression preset. 


To add an existing text file containing a list of keyword search terms to a search, at the bottom of 
the Keywords section, click Import. The file for import must be UTF-8 encoded, as other 
encodings may not import correctly. Click Export to save the current keyword search term list to 
a text file for later use. To remove a keyword or keywords from the Keywords list, select a 
keyword or multiple keywords, and click - (remove). 


Inspector ignores files with a given extension when these extensions are added to the Ignore 
Extensions list. Items are added to the Ignore Extensions list in the same way they are added to 
the Keywords list. 


Regular Expression Presets 


Inspector includes several regular expression presets. Select these presets in the Regular 
Expressions section with the Add Preset menu. You can also edit regular expressions after 
selecting them. 


Preset Option Regular Expression 


Social Security ((?!000)(?!666) ([0-6\d{2}| 

Number 7[@-2][@-9]|73[@-3]|7[5-6] [2-9] | 
77[@-1]))-((? $00) \d{2}) -((?!0000)\d{4})$ 

UK National AT A-CEGHJ-PR-TW-Z]{1} 

Insurance Number [A-CEGHJ-NPR-TW-Z]{1}[0-9]{6}[A-DFM]{0,1}$ 

MAC Address ((\d| (La-#] | [A-F])){2}:) {53 (\d| (La-#] | [A-F])) {2} 

IP Address \b(25[@-5]|2[0-4][@-9]|[@1]?[e-9][@-9]?)\. 


(25[0-5]|2[@-4][0-9]| [01]? [0-9][0-9]?)\. 
(25[0-5]|2[0-4][0-9]| [01]? [0-9][0-9]?)\. 
(25[0-5]|2[0-4][0-9]| [01]? [0-9] [0-9]?)\b 


Email Address [A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+ 
\. [A-Za-z]{2,4} 
Email Address ([A-Z0-9-_.+%]{1,64}@([A-Z0-9-.]{1,63} 
(Simple] \. ((A-Z]{2, 63} | ( (XN) -- [A-Z0-9]{1,59})))) 
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Preset Option 


URL 


International Phone 
Number 


Search 


Regular Expression 


(((ht|#)tp(s?):\/\/) | (www\. 

[^ \I\J\C\)\n\r\t J+) | (( [012]? [0-91{1, 2}\. ) {3} 
[@12]?[@-9]{1,2})\/)([* 
\LVI\(\), s&quot; &1t;&gt;\n\r\t]+) 

(oh. MARAGA), 5 &quot; 7 &1t;&gt;\n\r\t]) | (( [012] ?[e- 
9} {1,2} 

Ww ){3}[012]?[0-9]{1,2}) 
“(\+[1-9][0-9]*(\([@-9]*\) | -[@-9]*-))?[@] ?[1-9][2-9\- 
]*$ 


Valid US Phone 
Number 


ACCA Ad{3}\V [Nd£33) -1V TOA Gd{3}\) [\d{3})) ?\d{3} 
C [-1\.)?\d{43(C [-I\.)?(LEe] xt] [Xx] )[.1?¢ l- 
|\.)?\d{4}) 2$ 


UK Phone Number 


(((\+44)? ?(\(0\))? ?)|(0))( ?[0-9]{3,4}){3} 


Valid UK PostCode 


(((4[BEGLMNS ][1-9]\d?) | (^W[2-9]) 

(4(A[BL] | B[ABDHLNRST ] | C[ABFHMORTWW] |D 

[ ADEGHLNTY ] | E[HNX] | F[KY]|G[LUY] | H[ADGPRSUX] | I 
[GMPV] | JE|K[ATWY]|L[ADELNSU] |M[EKL] |N[EGNPRW] |O 
[LX]|P[AEHLOR]|R[GHM] | S[AEGKL-PRSTWY ] |T 

[ ADFNQRSW ] | UB|W[ADFNRSV] |YO|ZE)\d\d?) | 
(AW1[A-HIKSTUWO-9])](((4WC[1-2]) | 

(*EC[1-4]) | (*SW1) ) [ABEHMNPRVWXY ] ))(\s*)? 

([@-9] [ABD-HILNP-UW-Z]{2}) )$| (*GIR\s?@AA$ ) 


US PostCode 


((\d{5}-\d{4}) | \d{5}) 


Canada PostCode 


Date 


ISO Dates 


((?i) [ABCEGHJKLMNPRSTVXY] \d 

[ ABCEGHJKLMNPRSTVWXYZ]\s?\d 

[ ABCEGHJKLMNPRSTVWXYZ] \d) 
*((((0?[13578])|(1[@2]))[\/7I\-]? 
((0?[1-9]|[@-2][@-9])|(3[1])))| 

(((@?[469]) | (11) )[\/]\-]?( (0? [1-9] ] [0-2] [@-9]) | (3) ))| 
(@?[2][\/\-]?(@?[1-9] | [0-2][0-9])))[\/\-] ?\d{2,4}$ 
*((((19]| 20) (( [02468] [048] ) | ([13579][26]))-02-29)) | 
((20[0-9][@-9]) | (19[@-9][@-9]))-((((@[1-9]) | 
(1[@-2]))-((@[1-9]) | (1\d) | (2[@-8]))) | 
((((@[13578]) | (1[@2]) )-31) | (((@[1,3-9]) | 
(1[@-2]))-(29]3@)))))$ 


Date and Time 


A(P=\d)(?:(?:31(?!.(?:0?[2469]|11))| 
(?:30|29)(?!.@?2) | 
29(?=.0?2.(?:(?:(?:1[6-9]|[2-9]\d)? 
(?:0[48]|[2468][048] | [13579][26]) | 

(?:(?:16| [2468] [048] | [3579][26])ee)))(?:\x2e|$))| 
(?:2[@-8]|1\d|@?[1-9]))([-./])(?:1[@12]|@?[1-9])\1 
(?:1[6-9]][2-9]\d) ?\d\d(?: (?=\x20\d)\x20|$))? 
(((@?[1-9]|1[012])(:[@-5]\d){®,2}(\x2@[AP]M) ) | 
([01]\d|2[@-3])(:[0-5]\d){1,2}) ?$ 
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Preset Option Regular Expression 

Time “((((@]?[1-9]|1[@-2])(:]\.)[@-5][6-9](¢: ]\.) [0-5] [@-9])? 
( )?(AM|am|aM|Am|PM|pm|pM| Pm) ) | 

(([0]? [8-9] |1[ 9-9] |2[@-3])¢:|\.) [9-5] [e-9]( Cs 1\.) [9- 
5][@-9])?))$ 

Valid Credit Card (4\d{12}) | (( (413) \d{3}) | (5[1-5]\d{2}) | 

(6011) )(-?|\@40?) (\d{4}(-? | \040?)){3}| 
((3[4,7]\d{2}) ((-? | \@40?) \d{6}(-?|\e40?)\d{5})) | 
(3[4,7]\d{2}) ((-?|\@40?)\d{4}(-?|\e40?)\d{4}(- 
?|\040?)\d{3}) | 

(3[4,7]\d{1}) (-? | \040?) (\d{4}(-?|\e4e?)){3}| (3e[@- 
5]\d{1}| 
(36|38)\d(2))((-?|\@40?)\d{4}(-?|\@40?)\d{4}(- 
?|\040?)\d{2}) | 

((2131]|1800) | (2014|2149))((-?]\e40?) \d{4}(- 

? |\O40?)\d{4}(-? |\@40?) \d{3}) 


Add more expressions to the Regular Expressions Add Preset menu by modifying the 
RegExPatterns. txt file located in the Inspector resources folder. This text file is a simple TSV text 
file. Open the file in a text editor and append the desired expression|s} to the bottom of the file 
using the following format (separate the words with a Tab). 


Name Expression Description Sample 


In the upper right corner of the Content pane in the Options section, click Search and select 
Content only, Content and File Names, or File Names only as necessary. Inspector searches for 
keywords and regular expressions in the contents of a file, in the file name, or both. The Content 
Only option is selected by default. 


Select the following additional search criteria options by activating any or all corresponding 
checkboxes. 


e Case Sensitive 

e Unicode (UTF16) 

e = Skip Files Larger Than 

e Report Only First Hit on File 


Activate the Case Sensitive checkbox to make a keyword search case sensitive. Deactivate the 
Unicode (UTF 16) checkbox to ignore unicode or UTF 16 characters. Activate the Skip Files Larger 
Than checkbox and specify a file size to search for files over a specific size. Activate the Report 
Only First Hit on File to stop the search after the first keyword hit. 


When you activate the Deep Search option, Inspector expands container files, archive files, 
database files, multimedia files, etc., so the search function can look inside these files for 
examiner-defined keywords and RegEx patterns. Inspector will also perform a regular ASCII 
search function at the same time to maximize all possible search results from case evidence. 
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By default, Inspector deduplicates search hits across multiple Volume Shadow Copies, returning 
a hit on the oldest Volume Shadow Copy version if others have the same hash value. If a Volume 
Shadow Copy and primary file have the same hash, both the primary file and oldest Volume 
Shadow Copy version will be included in search hits, providing the file modification times differ. 


You can change the deduplication setting in the Preferences dialog box for Inspector, on the 
Options tab. For more information, see Inspector Preferences or Options. 


Saved Content Search Settings 


After all search options are set as desired, in the bottom right corner of the Content pane, click 
Save Search to save the current search criteria settings for later use. You can overwrite an 
existing search to replace it, if necessary. 


To confirm the search was saved, in the top right corner of the Content pane, click Saved 
Searches and see whether it is in the list. 


You can edit the Saved Searches list. click Saved Searches and select Edit Saved Searches. The 
User Created Searches window appears. 


To rename a saved search, click Rename. After you type the new name, click anywhere outside 
the text box or press ENTER. The new name appears in the User Created Searches window. 


To remove a search from the list, select the search, and then click Remove. 


Applying Filters to a Content Search 


You can include a preset file filter or a saved custom file filter as part of search criteria. To do so, 
from the Search view, click Search All Files and choose Files that Match Filter or Files that Don’t 
Match Filter. 


In the Saved File Filter list, choose a saved file filter or the current unsaved filter. 


Filtering Search Results 


After starting a search, you may also apply a view filter to narrow the search results. If the file 
filter is not currently shown, click Show/Hide Filter (three arrows] below the right side of the 
toolbar. Show/Hide Filter changes in appearance depending on whether filters or shown or 
hidden, and in use or not. 


To the right of Apply, click + (add), and then click Any. Now you can choose a filter from the list, 
which provides options appropriate for the view in use. Repeat this to add more filters. 


To remove filters, to the right of the specific filter, click - (remove). 


For more information, see File Filters. 
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Viewing Content Search Results and Criteria 


Click Start Search. At the top of the Content pane a progress bar appears. Search results are 
populated as they are found, and Inspector begins displaying the results while the search is still 
in progress. 


To pause or resume a Search, on the right side of the progress bar, click the Pause/Resume 
toggle. 


When a search begins, the name of the search and percentage complete indicator appear in the 
Component list under Content Searches. Click the search name to view the search results. 


Y CONTENT SEARCHES 
4 Cars 
« Internet Services 
4 Internet Searches 
4 Facebook Addresses 
4 Email Domain 
4 Zip Files 
\ URLs 
4 Phone Numbers 
4 RFC822 Headers 
« JSON Data 
« IP Addresses 
\ EXIFs 
4 Ethernet MAC Addresses 
4 Email Addresses 
« Internet Domains 
« AES Keys 


4 Deep Search 0.69% 


On the menu bar, choose View Adjust List Columns and select or deselect column options as 
desired. Selected columns display in the Content pane. The partition column is useful, as it helps 
the examiner identify which device contains a given hit. 


When you export data using the Export Selected Rows feature, Inspector only exports the data in 
the displayed columns; data in the hidden (unmarked) columns is not exported. 


The exception to this rule is the Contacts sub-view in the Communication. From this sub-view, 
all fields of the contact data, including those seen in the right pane, are included in exports. 
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In the upper portion of the Content pane, select a file in the file list. The middle section displays a 
highlighted hit, and a short context snippet for each hit occurrence within the selected file. 
Double-click on a highlighted keyword and Inspector automatically displays the search hit in the 
Hex view of the File Content view. 


nt: ` Sne let statisties e 
T 


Keyword Occurren... Partition Version index Extension Cont 


o Feet mac@. 7 amp mac 
o EEN 1 amp mac 
o losheni 5 amo mac 
ray jshe2.bing.com 3. Bennett-Mem.dmp amp mac 
o joshe3325070 4 amp mac 

Fork 

Data 5 og 000 000 07%%00 07400 4GGEX7PH txt @@i@Dele@ w c 

Data 1944486456 No HLOO 009 000 EE Eé ACGEX7PH.txt 0003o w c 

Data 4847555128 No HIDE 000 000 07%%00 Eé AGGEX7PH.txt gëgmeeie w c 

Sie Æ strings [Preview $ Metadata Q Location A Record Data Interpreter © Data Fork $ 

1944486120: | 89 36 00 00 00 00 D4 0200 00 00 00 G0 00 O1 00 10 GO OF GD OB GO O5 00 00 00 44 13 OF 32 SECH 

3964486150: | 25 94 02 @1 7C B1 9C 32 25 94 D2 01 08 D2 C7 18 CB D1 D4 @1 7C B1 9C 32 25 94 D2 01 E8 93 Tm REE) 

1944486180: | E6 35 SF 94 02 O1 00 08 00 00 00 A A OA 0A 00 GA CA AA AA A3 AA 20 AA FE A 1 08 00 O1 SS 

3944486210: | 01 30 00 €1 43 00 GF 00 GF 00 GB 00 69 00 G5 OB 3A CO GA Gd GF 00 73 00 GB 00 40 00 62 00 

1944486240: | 61 00 74 00 2E 00 62 00 69 00 GE 00 67 00 2E 00 63 GO GF 0 6D 0 2F 00 40 20 AI 35 00 32 ua josh. 

1944486270: | 60 48 00 42 00 50 00 4F 00 47 00 37 00 2E 00 74 00 78 G0 74 09 00 00 12 20 7F B6 93 4E 35 Kä Se 
16300: | 38 62 EB SB 7F B0 00 OÐ 0 GO 00 Od E 11 7F 77 0B OB 08 Gd GD G0 GO G0 a0 43 Be 2 0 00 S ES 

1944486330: | 00 00 00 20 00 00 09 00 00 00 00 SE EB 62 38 35 4E 93 36 0B 00 00 00 CD 20 20 0O 00 00 00 Date/Time 

1944486360: | 00 01 00 10 00 04 09 00 00 03 00 00 00 8A 27 37 25 25 94 D2 OL BA 27 37 25 25 94 D2 01 80 

1944486390: | £1 CC 15 CB D1 D4 01 BA 27 37 25 25 94 02 01 57 AE 9B 3C SD 94 D2 O1 20 00 20 00 00 00 00 Chrome 

1944486420: | 00 00 00 00 00 0 00 00 00 00 00 FE Ə 01 08 00 e1 e1 43.00 6F 00 GF 00 68 00 69 Seier 

1944486450: | 60 65 00 3A 00/64 ØA GF G0 73 00 6B 00 40 G0 32 00 2E OA G2 0 63 00 GE 00 67 00 ZE 00 63 1 

1944456480: [00 6F 006000 2F 09 00 00 01 34 00 47 00 47 00 45 00 58 GO 37 09 50 00 48 00 2E 00 74 00 Cocoa Nanosecend! 

1944486510: | 78 00 74 00 00 00 12 20 7F B7 B3 AA 33 38 62 EB SB 7F 80 00 00 09 00 00 00 17 11 7F 77 00 ronn eg 

1944486540: | 17 00 00 00 00 00 09 OD 43 00 00 O0 0 0O 0 OP 20 O 0 OB OB OO 00 OO SB EB G2 38 33 AA Wis (re) 

1944486570: | B3 37 00 00 00 00 61 00 00 0 00 20 O2 02 01 00 10 O 04 0B OB OA 29 BO 20 O CS DB 21 34 FILETIME 

1944486500: | 25 94 02 @1 C5 DB 21 34 25 94 D2 01 02 94 83 24 CB D1 D4 O1 BO 3F 21 34 25 94 D2 01 GF 33 

1944486630: | 0B 35 SF 94 02 O1 02 00 00 00 00 00 8 02 00 00 00 CO GO OB OB Od 0 OO FE 20 01 08 00 01 Firefox 

19444866560: | 01 38 00 01 43 00 GF 0 GF 00 68 A 69 0A 65 00 3A 00 6A OA GF 0A 73 00 GB 20 40 00 74 00 rae 

1944486590: | 77 00 69 00 74 00 74 00 65 00 72 00 2E 00 63 00 EF GO GD O 2F OD 0 00 O1 51 0 S1 00 32 

1944486720: | 00 44 00 48 00 4E 00 36 00 48 0 2E GG 74 00 78 00 74 OD OB OA 12 20 7F B7 E2 04 O1 38 62 os 

Decimal $ Position: 0x73E68237 (1844486455) Selection: OxtE (30) Little Endian © 


Each hexadecimal search hit is highlighted in orange. In the bottom right corner under the File 
Content view, a Selection # indicator appears, along with the hits sector offset, physical sector, 
logical sector, and cluster start. The Status Bar shows the search hit pathname. 


If more than one search hit is returned, click the arrow buttons at the top of the File Content 
view to navigate through each hit. 


< > 


You can select and tag search hits from within the File Content view. For more information, see 


Tags. 
With Hex selected, double-click on a highlighted hexadecimal hit. Inspector automatically 
displays the hit in an appropriate view, such as Media, Internet, and so forth. 


To quickly search for another text string within the returned search results, click anywhere in 
the File Content view, and press your computer's shortcut keys for Find. In the Find window, type 
the desired text and click Find. Any results are highlighted in green. 


Criteria: fab 


At the top of the Content pane, click Criteria to see the criteria used for the search, the searched 
partitions, search settings, keywords [including RegEx], and the ignored extensions. Click Results 
to return to the search results. 


Statistics Tab 


At the top of the Content pane, click Statistics to see search hits for each keyword and total 
search hits, search size and file count, and the search start, end, and total time elapsed. Click 
Results to return to the search results. 
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Index Searching 


Cellebrite Inspector provides index searching only for allocated files on the file system. These 
are the files likely to be most relevant for prosecution. You can search the index to quickly 
determine whether a particular topic or subject is mentioned in the evidence set. 


Data extracted by Inspector from inside of container files [like internet, email, or archives] as a 
result of processing are included in the index. Indexing the normalized data returns hits for 
topics or subjects mentioned in internet artifacts, messages and emails, text obtained from 
optical character recognition [OCR] within image files, or within decompressed archive files. 


You can run Smart Indexing during the initial ingestion of evidence or later. 


If indexing is performed before other processes, such as Mail Parsing or Process Archives, once 
the process runs the newly processed data is added to the index. It is common to see the 
Indexing process running in Evidence Status each time new information is processed on indexed 
devices. 


Inspector uses an implementation of SQLite’s Full Text Query Syntax Extension to perform 
indexing and index searches. For more information, see 
https://sqlite.org/fts5.html#full_text_query syntax. 


To improve performance, you can adjust the memory allocated for the SQLite Full Text Query. 
The default setting allocates 2 GB (2048 MB), you can increase or decrease it. The minimum is 
512 MB, the maximum is 100 GB. When you change Index Search Memory Size (MB), you must 
restart Inspector for the change to take effect. For more information, see Inspector Preferences 


or Options. 


e Torun Smart Indexing during initial ingestion, mark the Smart Indexing checkbox when you 
add the evidence item. 

e Torun Smart Indexing after initial ingestion, click Evidence Status under ACTIVITY in the 
Component list and then click Run next to Indexing. In this case, indexing occurs after all 
other processing options. 


Once the Smart Index is created, you can search it. 
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Search 


When you click Add next to INDEX SEARCHES in the Component list, Index Search appears in the 
Content pane with areas for these purposes. 


1. create and execute the query 


2. show alist of files that match the executed query 


3. show the highlighted hit 


Query Name: | New Index Search eil: 


Logic») [Insert > Run Query 


applel AND pathi(“josh") 


‘Occurrences 


Name / Sender 


1F90677E-ABAE-AEQA-ACF4-.. 


641CAA42-0764-4A20-AFDB- 


‘87C23EB2-FDDA-47F1-ACBS.. 


8200.emIx 
joshplist 
27FERARFD3OTFAAA?TRAC OS, 


Subject 


Date Created / Sent 
2020-05-20 22:28:37 (UIC) 
2020-05-20 22:28:37 (UTC) 
2020-05-20 2228:36 (UTO) 
2020-05-19 22:57:28 (UTC) 
2020-05-13 20:21:49 (UTC) 


"mme 1R4OR7 (ITO 


Hit# Context 


101522 1d your account, go to Apple ID ttp 
101522 2 Apple Support — 
101622 path /Users{josh/Library/Mail/V7/989365; 


Së ue = Stings [Preview Metadata ` $ Location d Record 


Date ond Time: Nay 6, 2020, 11:47 AM POT 


If the information above looks familiar, you can ignore this message. 


- Apple ID: https: 


If you have not signed in to iCloud recently and believe someone may have accessed your account, go to Apple ID (https: //appledd. apple.com) and change your 


3 


Apple Support 


For example, to find information related to a user's ApplelD, create a query with the word 
ApplelD. To narrow the result to a specific user account, add the AND operator. Then add the 
metadata option Path Contains and type the user account name in the <pathpart> portion. 


Query Name: | New Index Search OO 
Logic > Insert > Run Query 
apple 
Suggested Terms: l 

Term Occurrences 
apple 639429 a 
appledictionary 5121 
applemetanodelocation 1551 
applemetarecordname 1414 
applescript 1089 
applesystemuifont 856 
appletopic 647 
applepushservice 596 
applestoragedrivers 545 
applediaanostics 532 x 


You can see the results of the query in the Content pane. When you highlight a result in the list of 
files returned, the hit is highlighted. The entire file is displayed in the File Content view with hits 


on the search term highlighted. 


If you highlight multiple files in the list of files returned, multiple hits appear in the highlighted 
area. If the OCR Image Text process was run against the evidence, OCR text may be returned as 


a result. 
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Create a Smart Index Query 


1. In the Component list, click Add next to INDEX SEARCHES. 
2. In the Query Name field, type the name of this query. 
This name appears in the Component list for the search. 
3. Inthe query text box, type a search term. 
As you type, terms appear in in the Suggested Terms box, which also shows the number of hits 
in the index for each suggested term. 
4. Click Logic to select operators to combine terms and metadata to create a more complex 
query. 
These operators are available. 
e AND 
e OR 
e NOT 
e Wrap selection with (J 


5. Click Insert to select file metadata contained in the Smart Index that can be used to find data 
of interest. 
These options are available. 
e Proximity 
e Path Contains 
e Name / Sender Contains 
e Subject Contains 
e Participants Contains 


6. When you are satisfied with the query you created, click Run Query to see the results. 


2 Cellebrite 


Query Name: [NewlndexSearch o |> @ Tre | Name/Sender Subject Date Created / Sent Participants 
@ iu 1F99677E-48AE-4E9A-ACF4-.. 2020-05-20 22:2837 (UTC) 
Logic >| [Insert + Run Query 
@ ix 641CAA42-0764-4820-AFDB-.. 2020-05-20 22:2837 (UTC) 
AND pam josh 
AREIA AND paire acid @ fi 87C23EB2-FDDA-47F1-ACB9.. 2020-05-20 22:2836 (UTC) 
O fi 8200.emIx 2020-05-19 22:57:28 (UTC) 
© a kee 2020-05-13 20:21:49 (UTC) 
a DTFFARRENAG7FAAAD7RACGS BEE 
‘Suggested Terms: le BLID ` mz Context 
Term Occurrences © mez 1 dy 10 to Apple ID (http. 
@ mz — Apple ID: https 
@ mez y/Mail/V7/989365¢ 
Sne = strings Preview Metadata ® Location Record Data Fork 
Date and Time: Mey 6, 2620, 11:47 AM PDT 
If the information above looks familiar, you can ignore this message 
If you have not signed in to iCloud recently and believe someone may have d y unt, go to Apple ID (https://applledd. apple.com) and change your 


Apple Support 
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Bulk Extraction Searches on Memory Files 


When you run advanced processing options on a memory file, Inspector uses a bulk extraction 
tool to perform content searches, scanning the evidence file for key items of interest. These 
search items are included. 


e URLs e ethernet MAC addresses e email domain 

e phone numbers e AES keys e RFC822 headers 
e Internet searches e email addresses e GPS data 

e zip files e Facebook addresses e EXIFs 

e JSON data e Internet services e Internet domains 


After advanced processing options have finished running, any bulk extraction content searches 
that yielded results will be shown in the Content Searches section of the Component list, in the 
same location as any user-defined searches. A bulk extraction content search will only be shown 
in the list if one or more results were found for that search. 


Koyword 


mmer, 


Version index Extension Cont 


p7192.108. 
weem), 
np/192 168. 
muer 
np 192188. 
p/192.180. 
np 192.188., 
emgeet 


Heeeeeeeoeeeee 


eum? 
Jumm? 
eum? 
DEN 
wrumeze ` Bennett-Memaimp e me 


secoos 


1016813 Bonnott 


X RFCA2? Headers Fork ~ Position Deep Soarch... | Cor 


A JSON Data ata 4647201619. No 
A IP Addresses ata 4047328683 No 
am Data 4047242810 No 


Data 4647010295 No 


Bulk extraction search results can be viewed and analyzed in the same manner as user-defined 
searches. For more information, see Viewing Content Search Results and Criteria. 


For more information, see Adding a Memory File. 
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This chapter provides these topics about the Media view in Cellebrite Inspector. 


e Analyzing Picture and Video Files 
e Analyzing Audio Files 


Analyzing Picture and Video Files 


The Media view in Cellebrite Inspector displays a thumbnail gallery of most picture and video 
files on an evidence item. This view also displays audio file information. Built-in playback 
controls allow examiners to listen to audio files directly from within Inspector. 


The Media view provides options for sorting through visual media files. Select among the 
Pictures, Videos, or Thumbnails tabs to view those types of files separately or choose the 
Combined tab to view all three types together. 


Picture files and video files are easily discernible from one another in the Media view; video file 
icons are rendered as 4 x 4 mosaics comprised of sixteen frame-sequence slices. 


Note: The picture and video thumbnails do not appear if the video and picture processor has not 
been run. 


You can preview video files. To see the video file split into sixteen frame sequences and displayed 
as a 4 x 4 mosaic, at the top right of the File Content view, click Thumbs. If you click Video, the 
video file is rendered with playback controls. To play the video, click Play. 


(10f 97) ~ /Racer - Data/Users/josh/Dropbox/Camera Uploads/2010-12-01 13.19.12. 


In the Content pane, select a file and press the spacebar, or click the Quick Look (the eye} button 
to view the file using (Mac only). Quick Look displays native Apple application files (and some 
third-party application files) the same way a user sees them. Audio and video files play within the 
Quick Look view as well. 


Note: The Quick Look feature works only when a Quick Look plug-in for the selected file type, or 
an application that supports the selected file type is installed on the forensic examiners analysis 
machine. 
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Sticky Select 


To select and tag multiple pictures or videos, in the top right corner of the Content pane, mark 
the Sticky Select checkbox. Click on several consecutive or non-consecutive pictures and they all 
remain selected. 


To quickly select multiple consecutive pictures in a horizontal and/or vertical row, with Sticky 
Select enabled, press SHIFT+PAGE UP, +PAGE DOWN, +RIGHT ARROW, or +LEFT ARROW. A red 
Square appears around pictures as they are selected. 


Je Pictures B videos {= Thumbnails B= Combined D Audio ES 


E Sticky Select 


base Oy e Ain 390 18DE: 


26e... 42d8 ecb0e39207758... e50e e1b7535477a4b... e48d 8c16C74b0906C8...2187 d130cc7a565dc2...7e98 we 0204,JPG 80ea3a: P mag 


EI 


ss Ep 


718270866... Beb8 ba60dc40a2b719...98b1 f2c5381e203d5e.. dcdb S6166cb523abe6..169¢ 1b0947ac19460... 868 95e7abOda7dAcs...7141 


894be872fdd57c...ce57 cfcd6ead3b6f10... 1906 


ee 


To deselect a single picture (and additional non-consecutive single pictures] in one of the 
selected rows, release the SHIFT key, press and hold CMD, and click on the ee 


In the Media view, a picture or thumbnail that has been recovered from a deleted file is outlined 
with a red square. 


Thumbnails 


Inspector has the ability to parse thumbnails created for iOS [(.ithmb extension], Windows (stored 
in Thumbs.db files) and macOS (stored in Quick Look’s thumbnail cache, 
com.apple. QuickLook.thumbnailcache). 


Thumbnails can be viewed in the Media view. Click Pictures/Videos to see all pictures and videos, 
including thumbnails. When a thumbnail is selected in the Content pane, any metadata shown in 
the File Content view refers to the thumbnail, not its source picture file. Also, double-clicking a 
thumbnail picture opens the thumbnail, not its source picture file. 
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In the Content pane, each thumbnail picture is shown with an icon beneath it. 


E 
E 


Thumbs.db 


Hovering the cursor over this icon reveals the path and file name of the thumbnails source file, if 
it exists. It also indicates the database from which the thumbnail is rendered. Single-clicking the 
icon reveals the source file in the Browser view. 


OR 


G_0046.JPG' in File Browser 
VA Mp J: 


If the source file for a thumbnail is no longer on the system, hovering over the icon will indicate 
that the source file cannot be located. In such cases, single-clicking the icon reveals the 
database containing the thumbnail in the Browser view. 


os 
E 
Thumbs.db 


sai 


E 


E EJE] 
Thumbs.db 


EE Ste EE 
Thumbs.db 


5 p SES 
Thumbs.db 4031.ithmb 


ER 
4031.ithmb 
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Geolocation Metadata 


Picture and video files containing geolocation (GPS) information display with a red placemark 
icon below the bottom left corner of the file icon. Select a picture or video file that has a 
placemark icon. At the top of the File Content view, click Location. A Mercator map, altitude, 
altitude reference, latitude, longitude, and timestamp metadata associated with the picture 
appear. 


B videos ER Thumbnails B= Combined H audio Æ 


Sticky Select —— 


Property 


Longitude -87.7 


In the File Content view, click Show on Google Maps. Google Maps launches in a default Internet 
browser window and displays the geolocation information associated with the picture file. 


Export Location Data as KMZ or KML 


Files containing GPS information can be selected, exported to a .kmz or .kml file, and mapped 
with the Google Earth application. 


1. Select file(s] containing GPS data, click Action > Export Selected Location Data As, and then 
choose either KMZ or KML format. 


2. Inthe Export dialog box, type a file name and choose or create a destination folder, and then 
click Export. 


Inspector exports the GPS data to a .kmz or .kml file in the destination folder. 
3. Open the .kmz or .kml file in Google Earth. 


Google Earth displays a pushpin for each file. Each pushpin is also listed in the Google Earth 
sidebar Places section. 


For more information, see Locating Live Victims. 
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Image Categorization with Image Analyzer 


The integration of Image Analyzer into Cellebrite Inspector provides the capability to run image 
categorization across pictures and videos. Image Analyzer is a proven solution with years of 
experience in categorizing images based on the content using machine learning technology. 
Inspector looks for these categories. 


e Alcohol e Gambling 
e Chat - Detects mobile screenshots of e Gore 
messenger applications such as Facebook e !D/Credit Cards 
Messenger, Viber, WhatsApp, Skype, e Maps 
Telegram, and other chat-based e Porn 
applications. e QR & Barcodes 
e Child Sexual Abuse Material (CSAM) e Swimwear/Underwear 
e Currency e Vehicles - Detects images containing cars 
e Documents (all types, such as sedans, SUVs, pickups, 
e Drugs etc.], trucks, motorbikes, and buses. 
e Extremism e Weapons 


Image categorization can reduce review time by revealing images and videos that match a 
category of interest to the investigation. Examiners can choose which categories to run. 


Image Analyzer is completely integrated with Inspector and requires no Internet connection. 
Improvements to Image Analyzer, including the release of additional threat categories, will be 
provided with new releases of Inspector. You can request new image categories by sending an 
email to support(dcellebrite.com. 


Since Image Analyzer is a learning model, it can be improved when users provide false positives. 
Reach out to Cellebrite to share false positive images. These images will be directly provided 
Image Analyzer to refine the model. 


Image Analyzer can be run during the initial ingestion of evidence or later. To run during initial 
ingestion, click the ellipses next to Picture Analysis or Video Analysis. The Media Analysis dialog 
box appears. Be default, only Standard Processing is selected. To choose all categories, click 

Check All. You can also mark only the necessary categories to run. 


© Media Analysis = D 


Vehicles 
Chat 
ID/CreditCards 
Document 
Currency 
CSAM 
Alcohol 
Drugs 
Extremism 
Gambling 
Gore 

Porn 


JODOI 


Check All Cancel 
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Runtime for initial processing with Classify Threat Categories selected may increase significantly. 


To run Classify Threat Categories after initial ingestion, navigate to the evidence item of interest 
in Evidence Status. The Play button next to the Pictures and Videos processes is yellow if 
standard processing or other threat categories have been processed. If nothing was processed, 
the Play button is gray. 


When you click Play next to Pictures or Videos, the Media Analysis dialog box appears, where you 
can choose some or all categories to run. 


Video processing in Inspector includes the creation of a 4 x 4 proof sheet containing 16 still 
frames from across the video. This proof sheet is then classified by Image Analyzer. This is much 
less time consuming that providing every frame of the video to Image Analyzer, but still allows 
for more granularity that just providing one frame. Since the proof sheet is composed of 16 
snapshots, the classification results for Videos are not as precise as the classification results 
with Pictures. 


Threat Category results can be seen in the File Information pane or the Metadata tab in File 
Content view. 
Field Value 
Alcohol: 87.782722 = 
Chat: 0.000009 
CSAM: 0.000000 
Currency: 0,000759 
Document: 0.000013 
Drugs: 0.112860 
Extremism: 0.011549 
Gambling: 0.855617 
Gore: 0,008393 
1D/CreditC... 0.000002 
Porn: 0.036402 
Swim/Und... 0.021036 
Vehicles: 0.193977 
Weapons: 0.101853 


¥ 


< > 
20210304.231045-5abde03 


inex Strings [H Preview Metadata @ Location 4 Record 


Chat 0.000009 


Gambling: 0.855617 
Gore: 0.008393 
1D/CreditCards: 0.000002 
Pom: 0.036402 
Swim/Underwear: 0.021036 
Vehicles: 0.193977 
Weapons: 0.101853 


(1 of 65,402) - /Racer - Data/Users/josh/Pictures/Photos Library.photoslibrary/originals/3/3F 
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Images that are classified have a percentage associated with each threat category. An Image 
may be associated with more than one threat category. The exception to this is when an image is 
classified as belonging to one category 100%. In these instances, the image will be classified as 
only the one category. 


Threat Categories 

Alcohol: 0.00% 

Drugs: 0.00% 

Extremism: 0.00% 

Gore: 0.00% 

Porn: 0.00% 

Swim/Underwear: 0.00% 
Weapons: 100.00% 


In Media view, content can be sorted by Threat Category. 


äi 


Media Locat 


JW Pictures B Videos ES Thumbnails B= Combi 


Pixel Count - Largest H TE 
Pixel Count - Smallest ` EE E iTunes 
File Size - Largest H Extras 
File Size - Smallest D © D D D 


.. | Date Created - Oldest Lh. png St.. png Vi. png De...png iT.. png 58.. jpg 6c. png ¢ 
Date Modified - Newest 


Date Modified - Oldest Å" 

Date Accessed - Newest N D ke d 

Date Accessed - Oldest TI Í 
D Ka © 


Media Type - A-Z 
(14) (14) 


Media Type - Z-A 
l of Calculated Skin Ss D. Jpg c8.. png f76.. jpg D... png D.. png D.. png D.. png F 
Threat Category - Alcohol 


—|Threat Category - Chat 
Threat Category - CSAM a FC 
» Threat Category - Currency d 
Threat Category - Documents e 
Threat Category - Drugs (14) 114) (14) 114) 


off Threat Category - Extremism . png G.. png Ki. png Le...png Le.. png Fo...png Li, png | 
Threat Category - Gambling 


Threat Category - Gore = Gs r 
Threat Category - ID/Credit Cards R ti a a d 
Threat Category - Porn } r d e ` E 
Threat Category - Swim/Underwear EE — 
© © SI 


US| Threat Category - Vehicles 14 St a 
.. Threat Category - Weapons þ..E7CF Meng Mi..png M.P Mi. png Min..png O.. FDAS ( 


In Media view, files can also be filtered by Threat Category. In addition to choosing the Threat 
Category of interest, you can use one of these modifier options. 


is less than 

e is greater than 
e is between 

e is<=to 

e js>=to 


Match: All 
Reset... Apply | + 


Category... is >= to BU - 
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Analyzing Audio Files 


The Media view shows audio file information and cover art [when available), and built-in playback 
controls allow examiners to listen to audio files directly from within Inspector. 


At the top left of the Content pane, select the drop-down menu, and choose Audio. Inspector 
displays a list of audio files, including music files, ring tones, podcasts, and other sound files, 
contained on the selected device. 


> |@ [rite ~ artist 
© Your song Eton John 
© You Keep Me Hangin’ On Vanilla Fudge 
© You Are So Beautiful Joe Cocker When We Touch: Fallin" In Love Songs From ~.. 1974 
© Windy The Association ‘Summer Of Love: The Sound Of 1967 1967 
© were All Alone Rita Coolidge When We Touch: Fallin" in Love Songs From... 1977 
e The Beatles Let It Be 1970 
Ces 
Lë 
© n The Doors Best Of The Doors [Disc 2} 1969 
e Lulu Summer Of Love: The Sound Of 1967 1967 
IR 
e The Commodores 
ts] Bay City Rollers 
e The Doors 
wm = 
Sue strings ` roden Metadata ` $ Location 44 Record @ Data Fork 


To play an audio file, select it in the Content pane. At the top of the File Content view, click 
Preview and then click Play. On Mac computers only, you can also click Quick Look [eye button) or 
press SPACEBAR to play the audio file. 


After you run the metadata processor, you can see audio metadata in the Information pane. 
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The Communication view includes data from various forms of communication including phone 
calls, messaging, social media, and email. 


This chapter provides these topics about the Communication view. 


e Phone Artifacts 
e Messaging 

e Social Media 

e Contacts 

e Email 


Phone Artifacts 


On the toolbar, click Communication. Of the eight additional sub-views that display, four relate to 
phone call, voice, and video conference data on cellular and Wi-Fi-enabled devices. 


Note: Both iPod touch and iPad devices are Wi-Fi-enabled. Therefore, FaceTime sessions [along 
with other features that connect over Wi-Fi) may be present on both device types. 


In any of the sub-views in the Communication view, select any column heading to sort 
communication records by attribute. 


Calls 


At the top of the Content pane, click Calls. The Calls sub-view displays recent incoming, outgoing, 
and missed phone calls, as well as FaceTime and Skype sessions. Data is arranged in the 
following columns: Service, Direction, Type, Date, Contacts, Duration, and Status. The Status 
column indicates whether a communication was cancelled, missed, or failed. The Direction 
column displays whether a communication was incoming or outgoing. Names associated with a 
contact in the device's address book are included in the Contacts column. 


Select a phone, FaceTime, or Skype session file in the Content pane. In the File Content view, 
click Preview. The File Content view displays the database file containing raw data for calls, 
FaceTime sessions, and Skype sessions. For iOS devices, this database is the call_history.db 
SQLite database file, which contains the last 100 communication records sent or received on the 
iOS device. This is the maximum number of records the call_history.db SQLite database can 
retain under normal circumstances. If the iOS device is jailbroken, the database file may be 
customized and may retain more than 100 records. 
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Inspector displays communication records deleted by the user or the device's operating system 
in red italic font. 


Ñ calls @ Messages ho Posts aD Voicemail 8 Voice Memos K Favorites B Contacts Email = 
© @ Service Direction Type Date Contacts Duration (HH:MM:SS) + Status S 

© iPhone Y Incoming Phone 2014-12-29 17:56:21 (UTC) 72 )536' U2? @E2dU??77747[2X272Wk?i, <... 00:00:00 Missed 
© Phone Outgoing Phone 2014-10-08 21:53:21 (UTC) < d Blob>, <Encrypted Blob> 00:00:00 Cancelled 
© Phone Y Incoming Phone 2015-05-22 16:31:25 (UTC) <Encrypted Blob>, <Encrypted Blob> 00:00:00 Missed 
© iPhone Y Incoming Phone 2015-03-20 22:00:03 (UTC) Unknown 00:00:00 Missed 
© Phone Y Incoming Phone 2014-10-08 21:30:18 (UTC) <Encrypted Blob>, <Encrypted Blob> 00:00:00 Missed 
© iPhone Y Incoming Phone 2014-12-29 17:56:40 (UTC) <Encrypted Blob>, <Encrypted Blob> 00:00:00 Missed 
© Phone Outgoing Phone 2014-10-08 21:47:57 (UTC) <Encrypted Blob>, 777872)?77u7a?"7e 0:00:00 Cancelled 
© Skype Y Incoming Audio 2012-07-20 13:24:30 (UTC) Graham GIBSON ( g-fault ) 
© Skype Y Incoming Audio 2012-07-20 13:24:30 (UTC) Graham GIBSON ( g-fault ) 
@ Skype Y Incoming Audio 2012-07-20 13:24:30 (UTC) Graham GIBSON ( g-fault ) 
@ Skype Y Incoming Audio 2012-07-20 13:24:30 (UTC) Graham GIBSON ( g-fault ) 
© Skype Y Incoming Audio 2012-07-20 13:24:30 (UTC) Graham GIBSON ( g-fault ) 
@ Skype Y Incoming Audio 2012-07-20 13:26:12 (UTC) Graham GIBSON ( g-fault ) 
@ Skype Y Incoming Audio 2012-07-20 13:26:12 (UTC) Graham GIBSON ( g-fault ) 
@ Skype Y Incoming Audio 2012-07-20 13:26:12 (UTC) Graham GIBSON ( g-fault ) 
© skype Y Incoming Audio 2012-07-20 13:26:12 (UTC) Graham GIBSON ( g-fault) 
© Skype Y Incoming Audio 2012-07-20 13:26:12 (UTC) Graham GIBSON ( g-fault ) 
@ Skype Outgoing Audio 2012-07-20 13:26:40 (UTC) Graham GIBSON ( g-fault) 
© Skype V Outgoing Audio 2012-07-20 13:26:40 (UTC) Graham GIBSON ( g-fault ) 
@ Skype & Outgoing Audio 2012-07-20 13:26:40 (UTC) Graham GIBSON ( g-fault) 
© Skype V Outgoing Audio 2012-07-20 13:26:40 (UTC) Graham GIBSON ( g-fault ) 

O re VK Outgoing Audio 2012-07-20 13:26:40 (UTC) Graham GIBSON ( q-fault ) 


Hex Æ Strings [H Preview Metadata ` $ Location ` A Record 
GooGeG:] s3 51 4C 69/74 65 20 66|6F 72 6D 61|74 20 33 00/10 00 01 01/00 40 20 20/00 00 06 DB 
(000028:| 00 oo 00 6A/00 00 00 64/00 00 00 OA/00 00 00 7C/00 00 00 02/00 00 00 00/00 00 00 00 
g00056:| 00 oo oo 01/00 oo oo 00/00 oo oo 00/00 oo oo oo oo oo oo G0 00 oo oo oojoo 0o o0 o0 
000084:| o0 00 oo 00/00 00 00 00/00 00 06 DB|/00 2D E2 25/05 OF FB 00/05 OF E2 00/00 00 00 4F 


000112:| OF Fi OF EC| OF F6 OF E7 OF E2 OF E200 00 00 00/00 00 00 00/00 00 00 00/00 00 00 00 
(000140:| o0 oo 00 00/00 oo oo 00/00 00 00 00/00 00 00 00/00 oo 00 00/00 o0 00 00/00 00 00 00 
000168:| 00 00 00 00/00 00 00 00/00 00 00 00/00 00 00 00/00 00 00 00/00 00 00 00/00 00 00 00 
000196:| o0 00 00 00/00 oo oo 00/00 oo oo 00/00 oo oo oojoo oo oo 00/00 00 00 00/00 00 00 00 
000224:| 00 00 00 00/00 00 00 00/00 00 00 00/00 00 00 00/00 00 00 00/00 00 00 00/00 00 00 00 
000252:| 00 00 00 00/00 oo 00 00/00 00 00 00/00 00 00 00/00 00 00 00/00 00 o0 00/00 00 00 00 
2-00.00 oo og 06100. oo oo 90/00 og oo oo oo oo oo ogon oo oo 0o oo 00 


Decimal | [Go To Positioı] 


Voicemail 


At the top of the Content pane, click Voicemail. Voicemail records are displayed. At the top of the 
File Content view click Preview. Select an active voicemail file, and in the File Content view, audio 
playback controls display. Click Play to listen to the voicemail. 


If a voicemail number is associated with a contact in the device's address book, a name appears 
in the Name(s) column. Unheard voicemail records display with a small blue dot in the Unheard 
column. If an examiner listens to the message from within the Inspector interface, the small 
blue dot remains. 


In the Content pane, highlight a voicemail record and press SPACEBAR. A Quick Look window 
appears and automatically plays the voicemail message. Or, at the top of the File Content view, 
click Preview to display an audio playback interface for the selected voicemail. Click Play to play 
the voicemail. 


Deleted records appear in red italic font. In some instances, a record is displayed twice, once as 
a deleted record and once as an active record. When a caller leaves a voicemail, duplicate 
records may be created. When the user deletes the voicemail, the 10S operating system only 
deletes one of the records. 
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Recovered voicemail messages cannot be played. Voicemail messages on iOS are AMR files. 
When a voicemail is deleted, the AMR file is also deleted. Voicemail files on devices running 
older 10S versions can sometimes be carved from unallocated space. However, recovery is 
currently not possible if the device is running iOS version A and higher. 


Voice Memos 


At the top of the Content pane, click Voice Memos. Voice memo details are displayed. Select a 
voice memo in the Content pane, and press SPACEBAR. A Quick Look window appears and 
automatically plays the Voice Memo file. Or, at the top of the File Content view, click Preview to 
display an audio playback interface for the selected voicemail. Click Play to play the Voice Memo 
file. 


Like deleted voicemail messages, deleted Voice Memo files appear, but do not play because the 
.m4a file is deleted from the file system when the voice memo is deleted. 
Favorites 


At the top of the Content pane, click Favorites to display contacts that a user designates as 
favorites (possibly the most often used contacts). Favorites data is arranged in Name, Address 
(number), and Label (home, mobile, work, etc.) columns. 


Messaging 


Cellebrite Inspector parses and displays these types of message communication. 


e SMS e iChat e WhatsApp e Textfree 
e MMS e Skype e Kik e Tango 
e iMessage e Messages e textPlus 


In the Component list in the Evidence section, select a device. On the toolbar, click 
Communication, then click Messages. Every messaging service that can be parsed by Inspector 
will appear in the main window. 


Inspector displays communication records deleted by the user or the device OS in red italic font. 
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To filter messages by contacts, at the top of the Content pane, choose Contacts in the Filter field. 
The default is All messages. To sort messages, click List View and then click a column heading 
by Service, Direction [incoming or outgoing}, Date, Content, Subject, Sender, Participants, and so 
forth. 


Service Direction Date ^ Content Subject Sonder Participants Attachment 


A Dog ( (847) 73, 


Seit ( (240) 494-5369) A Dog ( (847) 73. 


ing 2010-11-30 19:33:57 (UTC) A Dog ( (847) 73. 


sus ing 2010-11-30 10:92:67 (UTC) <An Self ( (240) 494-8309) Dog ( (847) 73. 
sus 2010-11-39 19:33:57 (UTC) Set (240) 494-5389) A Dog ( (847) 73, 
sus 2010-11-30 19:37:12 (UTC) No: A Dog ( (847) 736-9491 ) Dog ( (847) 73 
sus 2010-11-30 19:37:12 (UTC) e A Dog ( (847) 736-9491) A Dog ( (847) 73. 
sus 2010-11-30 19:39:40 (UTC) A Dog ( (847) 73. 
sus ing 2010-11-39 19:38:40 (UTC) A Dog ( (847) 73. 
sms ing 2010-11-90 19:38:40 (UTC) < erg - &-Dipg> Self ( (240) 494-5399) A Dog ( (847) 73. 
sus 2010-11-30 19:39:40 (UTC) Leg ne. Going straight in the trash Sel ( (240) 494-8399) A Dog ( (847) 73. 
sus 2010-11-30 19:41:37 (UTC) Wo A Dog ( (847) 736-9491) A Dog ( (847) 73. 
sus mg 2010-11-20 19:41:87 (UTC) Wor A Dog ( (847) 736-9491 ) A Dog ( (847) 73. 
sms 2010-11-30 22:58:25 (UTC) is apple tv (at jacked Lar Schnetker ( 1- 
sus ing 2010-11-30 22:59:25 (UTC) Lar Seh 
sus ing 2010-11-30 22:59:25 (UTC) ve image/ipeg - 6-0,pa> Self ( (240) 494-5399) 
sus ing 2010-11-30 22:59:25 (UTC) Soit { (240) 494-6309) Lar Schnatkor ( 1- 
sus mg 2010-11-30 23:02:24 (UTC) Watching fast and fui Lar Sehnatker (( 
sus 2010-11-30 23:02:24 (UTC) Watching fast and furious on it now 94-8300) 
sus 2010-11-39 23:03:11 (UTC) ((847) 687-8198 ) 
sus 2010-11-80 23:03:11 (UTC) Nice ( (847) 687-6198 ) 

Full Message: 


Ha, this is the fool who left there phone in the car. Mine now 


Message records are easily sorted and tagged using these filter and sort features. In List View, 
selecting a message causes the message contents to appear in the Full Message panel in the 
lower section of the Content pane. 


Note: Messages without text appear in the List View with an empty Content column. 


In the Content pane, select an MMS message. In the File Content view, click Preview. Items that 
display as Attachment indicates that a file is attached to a message. These may be pictures, 
movies, or other file types, and the type will be indicated next to the word Attachment. For 
instance, an attached image would show <Attachment - image/filename> in the Content column. 


You can see a message as a two-way conversation, the way a user would actually see it on a 
device, At the top of the Content pane, click Conversation View. Picture files display as 
thumbnails, and movie files display with a play icon superimposed over a static thumbnail within 
the conversation. 
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Conversation View shows messages using three different conversation bubble colors: green for 
outgoing SMS messages, blue for outgoing iMessages, and gray for incoming messages (the 
same way an iOS device displays them]. The colors are the same for other messaging types. 


(of 30) ~ IRacer - DatalUsersiloshiLibrarviMessaaes/chat.db 


Media files may be viewed and/or played [if the file is a movie] in the File Content view using the 
Preview or Quick Look views. 


Scroll through the Hex, Strings, Preview and Quick Look (Mac only] tabs at the top of the File 
Content view to examine SMS, MMS, and iMessage records using different views. Select a 
message containing a movie file. In the File Content view, click Preview. Click Play in the File 
Content view, or click Quick Look [eye button], and the movie plays. 


MMS movies usually have the file extension of .3gp and are located in the /Library/SMS/Parts 
directory (folder). Use the File Filter to quickly find and view MMS and iMessage movies. For 
more information, see File Filters. 


If iChat log files are present, they are represented by the messaging service that was used. The 
name of the particular messaging service used will appear In the Service column. For example, 
if AIM was used for iChat, the name AIM will be listed in the Service column. Other iChat 
messaging services include Google Talk and JABBER. 


Select an AIM item in the Content pane. In the File Content view, click Preview. The chat session 
.plist data, created by the iChat application, is displayed. iChat sessions are stored in a .plist file. 


In the File Content view, click Hex, Strings, Preview and Metadata to display iChat data in different 
ways. 


d Cellebrite 215 


Version 10.5 Communication View 


Social Media 


Inspector parses and displays communications from several common social media applications. 
In the Evidence section of the Component list, select a device. On the toolbar, click 
Communication > Posts. Select any column in the Content pane to sort. 


Communications from all social media applications are shown together in the Content pane. 
Select an item, and the full text of the message appears in the Full Post display area beneath the 
Content pane. Inspector displays communication records deleted by the user or the device's 
operating system in red italic font. 


The Posts sub-view can show this information, when it is available, about each post in the 
Content pane. 


Column Description 


Service Name of the social media application 

Date Post timestamp 

Post ID The application's ID number for the post 

Title Title text of the post 

Post Body text of the post 

Comment Comment text of the post 

Media [blank] - No media item was attached to this post 


<Attachment - image> / <Attachment - photo url> - A media item was attached 
to this post 


Author The author of the post 


If the author cannot be identified, this value shows Unknown. 


Media The media owner of the media attached to the post 

Owner 

Associated Users associated with the post 

Users 

Comment e For Foursquare posts containing a comment entry, this value identifies the 
inte iin ZFSCOMMENT table row from the Foursquare app’s foursquare.sqlite 


database where the comment text was Identified 

e For Facebook fragments containing a comment entry, this value identifies 
the ZCOMMENT table row from the Facebook appes Store.sqlite database 
where the comment text was identified 
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Column Description 


Media Link e For Foursquare posts containing a media entry, this value identifies the 

ID ZFSPHOTO table row from the Foursquare app's foursquare.sglite database 
where the media entry was identified 

e For Facebook fragments containing a media entry, this value identifies the 
ZMEDIA table row from the Facebook app’s Store.sqlite database where the 
media entry was identified 


Post fragments with an associated picture may have a locally cached version of that picture. If a 
locally cached version exists and is able to be identified, Inspector parses and displays that 
picture in Preview sub-view when the fragment is selected. 


To focus on items from just one application [such as Facebook, Foursquare, Swarm, Twitter, 
LinkedIn, or Tango), sort by the Service column or use a filter. To show or hide the file filter, click 
Show/Hide Filter (three arrows] below the right side of the toolbar. Then select the desired filter 
to narrow results. For more information, see File Filters. 


You can see application bundle contents, including available profile information for social media 
applications. For more information, see System View. 


Contacts 


On the toolbar, click Communication > Contacts. This sub-view shows contacts ona device. 


calls Messages Posts ap Voicemail ` Voice Memos e Favorites D Contacts GE = 
D First Last Organization Service 
@ (2339-205 Recents 
@ (213) 399-2045 SMS 
@ (240) 494-5399 Recents 
@ (20494-539 iChat 
@ (20494-6399 iChat 
@ 240) 494-6399 iMessage 
@ 240) 494-6399 sms 
@ 240) 670-2863 Recents 
@ (302) 524-1522 Recents 
@ (302) 524-1522 SMS 
@ (406) 927-0003 Recents 
@ 40s) 334-0589 Recents 
@ (408) 334-0589 iChat 


On the left side of the Content pane select a contact, and on the right side of the Content pane 
select a contact avatar if one exists. The source image opens to its full size. Contact avatars are 
sometimes cropped or masked. By selecting the avatar in Inspector, you can see the entire 
source image. Tag the image, and it will appear in a report both as a thumbnail and as a full-size 
image. 


Deleted contacts appear in red italic font. 


Records in the Contacts sub-view can be exported as either tab-delimited or CSV files. In the left 
side of the Content pane, select one or more rows of data, open the context menu, and then click 
Export > Export Selected Rows to choose the format (tab-delimited or CSV) and save location. All 
fields of the contact data are included in exports [all data in the right half of the Content pane 
rather than just the first name, last name and organization fields seen in the highlighted row). 
Contacts with multiple entries of the same type [for example multiple email addresses] have 
those entries combined into a single field on the export, with semicolons separating entries. 


Phone(s) Email(s) Location Other Data 
(408) 513-1851 max@peoplemovers.net;maxw@gmail.com 
(202) 867-8156 pauls@psi.net HomePage:www.psi.net 


Skype ID:makayla_shakeit;B. 
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Email 


The Email sub-view in Inspector supports these email formats. 


e .pst and ost (Outlook for Windows) 

e general mbox (exported Mac Mail and other platform-agnostic clients] 
e .olk15Message (Outlook for Mac) 

e eml 

e .emlx 

e .imapmbox 


For email previews to be included in reports, you must enable them on the Reports tab of the 
Preferences or Options window for Inspector. For more information, see Inspector Preferences 
or Options. Additionally, the emails must be tagged either within the Email sub-view of the 
Communications view or from Index Search when the Type field is Email, and you must also 
mark the Export checkbox in the Report view. 


1. In the Evidence section of the Component list, select an evidence item. 

2. On the toolbar, click Communication > Email. 

3. At the top of the Content pane, click Mailboxes and choose a mailbox to view, or leave the 
drop-down set to All. 


Unread emails are shown in bold text. Emails that have one or more attachments show the 
quantity in the Attachment Count column. 


& calls @ Messages o Posts a9 Voicemail ® Voice Memos Favorites B Contacts © Email 


Mailboxes /Racer - Data/Users/josh/Library/Mail/V7_ — 


© (ij /Racer - Data/Us.../Mail/V7 aod > @ From To Subject Date Sent Size Attachment Count e 
E (È 98936521-EAC7...0B743F (871) @® Apple Hot News Apple Brings FaceTime to the Mac 2010-10-20 18:00:06 (UTC) 2.8 KB 
(Archive (1) E Apple Hot News Apple Gives Sneak Peek of Mac OSX Lion 2010-10-20 18:00:26 (UTC) 3.0 KB 
{Gi Deleted Messages (10) @ Apple Hot News Apple_Introduces_iLife_'11_with New iP... 2010-10-20 18:01:28 (UTC) 3.1 KB 
BE Drafts (1) @ Apple Hot News Apple Introduces MacBook Air: The Next... 2010-10-20 18:01:53 (UTC) 32 KB d 
3 Groupon (300) Eò Age Hot News New MacBook Air Is the Gold Standard f.. 2010-10-22 16:48:29 (UTC) 2.9 KB 
INBOX (479) Mai | Properties) ||Raw Source!) |/Attachments 
B unk 0) |! 8 y á 
MEUSE] ee iae ern 
(Gj 0B0919ED-246C..980CCB4 (IÙ Message-ID: <FE3C4BA9-3ESA-454D-966C-443859022288@hsd0 1.ihsd1.il.comcastnet.> 


a @ RSS (122) 


Apple Gives Sneak Peek of Mac OS X Lion 


Apple today gave a sneak peek of Mac OS X Lion, the eighth major release of the world’s most advanced operating system. Shipping next 
summer, Lion is inspired by many of iPad’s software innovations. Features include the Mac App Store, a new way to discover, install, and, 


Si Hen Strings [Preview Metadata @ Location ` A Record 


Data Fork ~ 


Field Value 
BETID: 100500 V 
FileSystemID: 417830 
Name: 17.emlx 
Path: /Users/josh/Library/Mail/V7/RSS/Apple Hot News.mbox/6118A615-2A4A-4FCC-B1A2-B10E84927193/Data/Messages/17.embx 
Size: 3087 
SizeOnDisk: 3087 


< > 


To find a keyword within of any parsed mail messages, use the filter on the far right in the 
Communication view. These are filter options for email. 


e Attachment Count 


e Date Sent 
e From 

e Subject 

e Size 

e To 

e Content 
218 


March 2022 Cellebrite Inspector User Guide 


Filtering by content looks for data within the content of the emails. 


& calls @ Messages A Posts ap Voicemail 8 Voice Memos K Favorites B Contacts © Email EN 
Mailboxes /Racer - Data/Users/josh/Library/Mail/V7_ v Match: All { 
| = (È /Racer - Data/Us../Mail/V7 (100 % @ From To Subject Date Sent Size Resets I! Apply_| E 
E (Gj 99936521-EAC7...0B743F (871) @ "Josh Bennett" ben. 0€0338... 2010-11-30 19:41:06 (UTC) 392 Bytes Content ` ||contains. ~ ||- 
(Archive (1) @ "iech Bennett" <jber i Hey friend 2010-11-30 23:06:04 (UTC) 458 Bytes stealing 
Gi Deleted Messages (10) © "Josh Bennett” Ab a Re Slim Jim 2010-12-03 19:34:44 (UTC) 2.6 KB 
Gi Drafts (1) @ _ "Josh Bennett" ben 020338... 1 more thing 2010-12-26 03:43:33 (UTC) 379 Bytes 
{Wy Groupon (300) < 
GE INBOX (479) Mail Properties Raw Source Attachments 
dunk 0) 2635 a 
Sent Messages (80) From: Josh Bennett <jbennett_mac@me.com> 
a Mime-Version: 1.0 (Apple Message framework v1082) 
| Œ i 0B0919ED-246C...980CCB4 (1 Content-Type: multipart/alternative; 
| a mrsa boundary=Apple-Mail-3--434928308 
| X-Smtp-Server: smtp.me.comijbennett_ mac 
| (Gi Apple Hot News (122) Subject: Re: Slim Jim 
ll Date: Fri, 3 Dec 2010 13:34:44 -0600 
X-Universally-Unique-Identifier: b474ee3a-85bb-436a-aee5-c059e339a7fb 
In-Reply-To: <AANLKTi=vY_uDaxbeweykSyTqV=dLesqW-7Fd9a22NpYh@mail.gmail.com> 
To: jimbo fisher <jimbo fisher13@ gmail.com> 
References: <6F6EEF9A-4C43-41EE-A8CE-F2FF6415FCFA@me.com> <AANLETi=W_uDaxbeweykSyTqV=dLesgW-7Fd9a22NpYh@mail.c 
Message-Id: <26DE51DF-18E7-4064-S4DB-19421856D701@me.com> 
~Apple-Mail-3--434928308 
| Content-Transfer-Encoding: quoted-printable 
| Content-Type: text/plain; 
| charset=us-ascii 
Nice man, | like that one. It is sleek. Gotta look good while stealing = 
| the cars. 
| v 
e — 7 
Se Strings Preview S Metadata @ Location Record Data Fork x 
Field Value 
BBD: 101597 


FileSystemiD: 417709 
Name: 291.embx 


| Path: /Users/josh/Library/Mail/V7/98936521-EAC7-4961-9648-2187630B743F/Sent Messages.mbox/6118A615-2A4A-4FCC-B1A2-B10E84927193/Data/Messages/291.embx 
| Size: 3020 

| SizeOnDisk: 3020 

| 

l 


> 


When you select an email in the list, these tabs in the lower portion of the Content pane allow for 
various views of that email. 


e Mail (for a rendering of the email) 

e Properties 

e Raw Source 

e Attachments (to see a list of attachments) 


Choose an attachment, then click Preview in the File Content view. The selected file appears. On 
Mac computers, with the attachment file still selected, click Quick Look [eye button) or press 
SPACEBAR to see the attachment using the Quick Look framework. Email attachments are 
tagged with the email and can also be tagged separately. 


For more information, see Tags. 
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Support for EMLX and EMLX Partial 


Communication View 


EMLX is a Mail Message (Apple Mail Email] file used to store an email message. These are plain 
text files that store just a single email message. EMLXPART files are used by Apple Mail as well, 
but as attachment files instead of as the actual email files. The emails show the typical context 
instead of the header information and the attachments are automatically included. 
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H 


Mailboxes /Racer - Data/Users/josh/Library/Mail V7 ` — 


ERA a] 
E (R /Racer - Data/Us./MaiV7 (100 — @ From To Subject Date Sent ` Size Attachment Cour ^ 
E G 98936521-EAC7...0B743F (871) @ “Josh Bennett" ben. pamelach970@aim.com Re: I Found YOU 2011-01-04 19:17:33 (UTC) 706 Bytes 
Archive (1) | 17 macforensic@aol.com jbennett_mac@me.com The information you requested 2011-01-04 19:50:52 (UTC) 31.9 KB Ay 
(Gi Deleted Messages (10) 2011-01-04 20:38:28 (UTC) 551.3 KB 
Gi Drafts (1) | @ _ Josh Bennett's iPhone Give Lars a call when Jim says it's good 2011-05-20 14:37:26 (UTC) 570 Bytes g 
BE Groupon (300) < > 
(Gi INBOX (479) Mail Properties Ee ane 
unk 0) 
` From: macforensic@aol.com 
Sent Me (20) | 
LE l To: þbonnett_mac@me.com 
"Li 0B0919ED-246C..980CCB4 (IC Subject: Further IP address Information 
5 @ RSS (122) | Date: Tue, 04 Jan 2011 15:38:28 -0500 (EST) 
BH Apple Hot News (122) Message-ID: <8CD7A667A5AC60D-BD4-2177 @webmail-d066.sysops.aol.com> 


Mr. Bennett, I thought you might also be interested in the following information. I've attached the first page of information from a multi-page description of IP 
addresses. The URL for all the pages is http://computer howstuflworks. com/internet/basics/question549 htm 


Bob Matthews 


Sen Æ Strings [Preview Metadata Location Record 


From: macforensic@aol.com 
To: jbennett_mac@me.com 

Subject: Further IP address Information 

Date: Tue, 04 Jan 2011 15:38:28 -0500 (EST) 


Message-ID: <8CD7A667A5AC60D-BD4-2177 @webmail-d066.sysops.aol.com> 1 


Mr. Bennett, | thought you might also be interested in the following information. I've attached the first page of information from a multi-page description of IP addresses. The URL for all the 
pages is http://computer.howstuffworks.com/internet/basics/question549.htm 


File Edit Action Tags View Manage Window Help 


E EVIDENCE Add 


Tag Name: [Email 


EI E Bennett-Computer-20052..| 
D O Racer- Data Narrative 

5 p E soorcame 
H E @ soorane nse. 
H E enge se. 


[Censor Pictures 


a ACTIVITY 
M idence Status 
$ Export Status 


a TAGs 


D 


‘Communieatons Emar Atachmert (1 Hm) 


CONTENT SEARCHES PS EEA D 
rat Ausen Ma RSE SEENEN paler 
INDEX SEARCHES eee e 


Investicanivenores EEE 


strings [EjPreview $ Metadata Location Record Data Fork 
From:  macforensic@aol.com 8 
= To: jbennt_mac@me.com 
Field Value Subject: Further IP address Information 
Date: Tue, 04 Jan 2011 16:38:28 -0500 (EST) 


evel I Ô| Message-ID: <OCD7AG37A5AC50D-BD4-2177@webmail-d006sysops aol.com> 1 


Filesystem... 2738391 
Mr. Bennett, | thought you might also be Interested in the folowing Infomation. I've attached the frst page of information from a muhi-page description of IP addresses. The URL for all the 
Name 120.pertielemb pages is http computer howstufiworks.comiinternevbasics/queston549.htm 


Path: /Users/josh/Librery/Me | 


20210304.231045-5abde03 Cof?) ~ /Racer - Data/Usera/josh/Library/Mail/V7/0803652 -EAC T-4061-0648-21876308743F/INBOX mbox/6112A615-2A4A-4FCC-B1A2-B10E8402T103/Data/Mezcages/ 120 partial erbe 


G second cscinspector 
Ele Edt Action Tage View Manage Window Help 


B EVIDENCE Sesegesgeee? 
E EI E Bennet-Computer-2002.. A 
H E @ tecer- oaa Cellebrite sz: Commur af 


n u ioone Digtal Forensics Report - 
E © poorcane wer, Source Device | Bennett-Computer-200520 £01/Racer- Data 
© E © poorcame ve, 


JUsers/fosh/LibraryiMai/V7/98996521-EAC7-4961-9648-2 187600B749F/INBOX mbox’61 


Path | | 3A615-2848-4FCC-51A2-B 10254927 199/Data/7/Altachments/7 162/2 2/IMG_0150 jpeg 
a avm 
ReponDate 349/202 
Mi Evidence Statue i Ki Name | IMG_0190 jpeg 
V| Seneate Resort 
© Export Status He ‘Subject | Parts? 
Hements 
E macs jene ES Type | imagejpeg 
E Cover Page 5 : 
` zem El Zë size 207KB 
vom seancres REN i — r> Së may) | “USEFs/osh/LibranyiMai/v7/9896521-EAC7-496 1-2646-2187630B743F/INBOX.mbox/61 
Riek a 18A615-2A4A-4FCC-B1A2-B10E84927193/Data/7/Messages/7 162 partial emx 
INDEX SEARCHES E @ worn psc) PieWidth | 128 
E © geren 
-Evidence Tags Picheight 69 
INVESTIGATIVE NOTES GE e 
BO i Case Data nese $ Source File | IMG_0150.peg 
Dam 
D Audio 
D Calendar ‘Thumbnail 
O calle 
D Contacts 
Sg D) Device Backups 
ES [ Device Connections 
D Favorite Contacts 
D Fie Downloade o ` E 
ie Source Device | Benneti-Computer-200520.£01/Racer - Data 
i Internet Bookmarks 
Denter i matn | USESfeshbraryialV7/96906521-£AC7-1951-964621676008749FINBCXmboX61 | 


20210304.231045-5abde03 


March 2022 Cellebrite Inspector User Guide 


To render the attachments In the report, you must enable the preference to Create previews for 
tagged email. It is disabled by default because it can slow down generation of very large reports. 
For more information, see Inspector Preferences or Options. 


When the report is generated, the email can be seen as well as previewed by clicking on the 
Preview link. This shows the email as the user saw it. Any attachments can also be seen in the 
preview of the report as well as the attachment link. 


[Source Device Bennett-Computer-APFS-180208.E01/Racer 

Path /Users/josh/Library/Mail/V5/98936521-EAC7-4961-9648-2187630B743F/INBOX.mbox/6118A615-2A4A-4FCC-B1A2-B10E 
84927193/Data/3/Messages/3513.partial.emlx 

From godzillin@me.com 

To a.donnie01@gmail.com> Josh Bennettjbennett_mac@me.com 

‘Subject Mail 

Received Date 2015-12-23 19:30:46 (UTC) 

‘Sent Date 2015-12-23 19:30:39 (UTC) 

Message ID <2F7F73DB-E9FC-4B97-AAF5-EBE89A72DAD0@me.com> 

[Body Might be a new place to hang. 

Size 516.4 KB 

‘Source File 3513.partial.emlx 

[Preview Mail 

[Attachment 1 ` IMG_0394.PNG (image/png) (375.8 KB) (w: 72 h: 128) 

Attachment 1 

(Preview) d 

E 


Source Bennett-Computer-APFS-180208.E01/Racer 


Device 

Path /Users/josh/Library/Mail/V5/98936521-EAC7-4961-9648-2187630B743F/INBOX.mbox/6118A615-2A4A-4FCC-B1A2-B10E84927 
193/Data/Messages/607.partial.emIx 

From g.fault.gibson@gmail.com 

To jbennett_mac@me.com 


Subject Secret 
Received 2012-08-22 12:29:54 (UTC) 


‘Sent Date 2012-08-22 12:28:31 (UTC) 
Message ID <CACgOffcWVOF DQL5CdvAnxwa9GjdaGm37sCGGqdTn01Z40GZ_BQ@mail.gmail.com> 


Body Here you go...what you've been waiting for. Usual password. 
G 
Size 13.8 MB 


‘Source File 607.partial.emlx 

Preview Secret 

Attachment Things.dmg (application/octet-stream) (0 Bytes) 
4 


From: Taz Zillin <godzillin@me.com> 

To: Donnie Adams <a.donnie01@gmail.com>, Josh Bennett <jbennett_mac@me.com> 
Subject: Mail 

Date: Wed, 23 Dec 2015 11:30:39 -0800 


Message-ID: <2F7F73DB-E9FC-4B97-AAF5-EBE89A72DAD0@me.com> 


Might be a new place to hang. 
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Version 10.5 Locations, Internet, and Productivity Views 


Locations, Internet, and Productivity Views 


This chapter provides these topics about the Locations, Internet, and Productivity views: 


e Locations View 
e = Internet View 
e Productivity View 


Locations View 


In the toolbar, click Locations to open the Locations view. The Locations view lets you examine 
this information: 


e Google and Apple Maps usage 

e Geolocation data from media files, calendar and social media apps 

e Wi-Fi network information 

e Additional location services data. This is Apple's definition of location services. 


“Location Services allows location-dependent apps and websites (including Maps, Camera, 
Safari, and other Apple and third-party apps) to use information from cellular, Wi-Fi, and 
Global Positioning System (GPS) networks to determine your approximate location.” 


These are the sub-views for the Locations view: 


e Map View Sub-view 
e Location List Sub-view 


e Offline Maps 
e Wi-Fi Sub-view 
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Map View Sub-view 


The default sub-view in Locations is Map View. This view assembles all of the location data 
parsed from the evidence, creating an interactive cluster map. Location data parsed includes 
Google Maps and Apple Maps searches, bookmarks, dropped pins, and old tags, as well as 
media files and calendar items that contain geolocation data. Also, certain social media apps 
contain geolocation data that can be parsed into this sub-view. While each app may store 
different pieces of data, at a minimum, latitude and longitude are parsed and displayed. Based 
on the source app, additional information such as a timestamp, location name and address, and 
other data may be parsed and displayed. The map is generated using map tiles installed on the 
system with the Inspector installer based on OpenStreetMap. All data containing geolocation 
information is represented on the cluster map by a blue dot. Densely populated regions of the 
map also display a numerical value indicating the number of data items mapped in that region. 


E 


| Data Interpreter x 


Decimal — [ Go To Positioi 


The cluster map lets you zoom in and out using the slide bar on the lower right side. When 
zooming, it automatically focuses on the area of the map centered in the window. To change the 
focus, click of the map window, hold down the mouse button and drag the appropriate region 
into the center of the map. You can do this as necessary until the appropriate region is shown in 
the center of the map. 
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D Deutschland säit 
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Locations, Internet, and Productivity Views 


Map tile size changes when the zoom level changes. Interacting with the map tiles reveals the 
mapped geolocation data. When a map tile is selected, data points mapped on that tile appear in 
the right side of the Content pane. These columns can provide detailed information. 


Service 
Date 
Type 
Name 
Address 
Latitude 
Longitude 
Distance 
Altitude 
Accuracy 
Speed 


The selected map tile is highlighted on the map in the Content pane with the corresponding data 
listed on the right side of the pane. Data points are marked on the map with a blue dot. If a data 
point is selected on the map, the dot changes to pink and the corresponding data on the right is 
highlighted. 


Name Address Latitude 
2012-08-26 10.41.18,jpg 52.05516667 
1313D406-3E7D-4EE3-8... 52,04341389 
2012-08-29 13.46.38,jpg 52,04333333, 
2012-09-01 11.19.31,jpg 52313 
2012-08-30 17.14.10,jpq 52.04316667 
‘AE860687-5784-4D37-A... 52.05516667 
‘ABE89355-2F38-4F2A-A... 52,04333333 
CB7DD428-B9FB-40CF-... 52.04616667 
D63B68D3-8C7B-ACFS-... 52,04333333 
B4A41BF8-6251-4DB1-... 52.04316667 
Oce4ddb96fa35919f97b... 52.04316667 


‘5BAB7AEE-D999-464C-B... 52.04341389 
acc4da97bc44726c9827... 52,04333333 


‘70611154a2cOdc8be1b6... 52,04316667 
401560e8d68ad144eba5... 52.05516667 
CED 


DEEN 


5.405 
5,559816667 
5,559333333 
4757 

5,56 

5.405 
5,559333333 
5,5725 
5,559333333 


For a data point on the map, open the context menu, where you can copy the location to the 
clipboard, or show the location in Google Maps, OpenStreetMaps, or Bing Maps. When connected 
to the Internet, choosing an option for showing location opens the selected map in the default 
web browser. 


224 


Show location in Google Maps - 
Show location in Google Maps - 


Show locati 


Vi 


Copy location to clipboard (52.326573, 4.744672) 


Show location in OpenStreetMap 
g Maps - Road 
Show location in Bing Maps - Aerial 
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Satellite 
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Date Type Name 
Video 9378171D-8A2D-4354-8... 
Picture 6B30D4FB-5A51-43DA-... 
Picture 619BD17F-924B-4C70-9... 
Picture 2012-08-30 17.11.15jpg 
Video 2015-10-17 04.13.23.mov 
Picture 2012-08-29 13.46.52jpg 
Picture 2012-08-29 13.46.46,jpg 
Picture 2012-08-29 13.47.02jpg 
Video 2012-08-26 11.41.32.mov 
Picture 2012-08-26 10.41.18,jpg 
Picture 1313D406-3E7D-4EE3-8... 


Picture 2012-08-29 13.46.38,jpq 
P 112-0 pe 


Picture 2012-08-30 17.14.10jpg 


Picture AE860687-5784-4D37-A... 
Picture ‘ABES9355-2F38-4F2A-A... 
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Tagging information from Map View tags only the location data. It does not tag the associated file 
or any other file metadata. You can tag the file only in the Browser view. To see the file 
associated with location data, open the context menu from an item in the list, and then click 
Reveal > File in File Browser. 


You can use the Filter pane in the Map View to show geolocation information based on the 
parsed data. For instance, you can create a filter to map only geolocation data extracted from 
Video data. Once a filter is applied, the cluster map shows only the data that meets the filter 
criteria. 


IA Map View A Location List FW X Mapping Apps 4 
Type Name Address Lati `` Match: All ~ 
Video 72033D3A-7EF4-43A2-8. 524 Reset.. || Apply | [x 
Video SAB3EEOF-02A4-401B-9... 524 Jee SaF p 
Video IMG _0060.MoVv SON Video 
Video IMG_0061. Mov 524 


Location List Sub-view 


At the top of the Content pane, click Location List. The Location List sub-view displays Google 
Maps and Apple Maps searches, bookmarks, dropped pins, old tags, as well as media files and 
calendar items that contain geolocation data. Also, certain social media apps contain geolocation 
data that can be parsed into this sub-view. While each app may store different pieces of data, at 
a minimum, latitude and longitude are parsed and displayed. Based on the source app, 
additional information such as a timestamp, location name and address, and other data may be 
parsed and displayed. 


Select any record in the Location List view, then click Location in the File Content view to see one 
or more offline maps depicting the item's latitude and longitude coordinates. 
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Locations, Internet, and Productivity Views 


Inspector presents a set of static maps based on OpenStreetMap. Select a file that contains GPS 
coordinates and click Location in the File Content view. In the Location tab, you can see an offline 
map with three levels of zoom. You can download additional maps for additional zoom 
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Altitude 
Altitude Refe.. 
Image Directi.. 
Image Directi.. 

Latitude 

Longitude 
Time Stamp 


lities. 


= strings 
n Google Maps... 


Value 


625.6139 m (2053 ft) 

. Sea level 

. 29.06641 

. True direction 
36.1435 
-115.157333333 
04:32:07 


E Preview 


SE Metadata SN Location d Record 


FA Desert | 
F A y National | 
"F y Wildlife 


J h Lake Mead 
NATEN National 
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The zoom is currently set at levels 3, 5, and 8. When additional zoom level tiles are downloaded, 
Inspector increases its maximum zoom accordingly. When connected to the Internet, you may 
also zoom in by clicking Show on Google Maps. The default web browser opens to Google Maps, 
allowing control of the zoom level and viewing style. With Inspector, you can export files 
containing GPS information as a .kmz file or in .kml format. Select the files containing GPS data, 
open the context menu, click Export > Export Selected Location Data As, and then choose either 
KMZ or KML format. In the Export window, provide a file name, choose or create a destination 
folder, and then click Export. Inspector exports the GPS data to a .kmz or .kml file in the 
destination folder. To see the geolocation coordinates using Google Maps [the analysis machine 
must be connected to the Internet), select the Show on Google Maps button. 


A Location List 


W Map View 


Date ` Type Name 
2010-11-29 19:51:58 (UTC) Picture 
2010-11-29 19:52:48 (UTC) Picture 
2010-11-29 20:36:04 (UTC) Picture 
2010-11-29 20:36:04 (UTC) Picture 
2010-11-29 22:50:44 (UTC) Picture 
2010-11-29 22:51:01 (UTC) Picture 
2010-11-30 22:52:46 (UTC) Picture 
2010-12-01 18:20:03 (UTC) Picture 
2010-12-01 18:20:07 (UTC) Picture 
2010-12-01 18:21:17 (UTC) Picture 
2010-12-01 18:21:22 (UTC) Picture 


1c91dd4576d4254da1d... 
3817d82fa21960c52966... 
a3a2d1a61a333eb38a68... 
95ed0bca9főcfacf72461... 
894be872fdd57c234dad... 
63fc5a05596d9d29e7d1... 
103fTcfac29e76725b18... 
4cb15230d427c096071c... 
73fa07662925ed2d54a3... 
9faaabc5aee74621dcdf... 


000000000 e 


81fbf2ee50a4cfc 105758... 


Si Hen Strings [Preview $ Metadata ` $ Location J Record 


F wn X Mapping Apps 


Address Latitude Longitude 
41,96083333 
41,94033333, 
41.88216667 
41.88216667 
41.87856667 
41.87866667 
42.0885 

42.08866667 


-87.69583333 
-87.70016667 
-87.61883333 
-87.61883333 
-87.63 

-87.63 
-87.71633333 
-87.7165 
42.08866667 -87.7165 
42.08883333 -87.71616667 


42.08883333 -87.71616667 


Show on Google Maps... 


Property Value 
Latitude 41.940333333 v 
Longitude -87.700166667 
Time Stamp 2010-11-29 19:52:48 (UTO 
gv 


D 


Data Fork 


(1 of 2,197) - /Racer - Data/Users/josh/Library/Application Support/MobileSync/Backup/25cccObd IfaSf7c036085afa5e094a69356b564-20150414-1001 17/381 7d82fa2196052966ec 1d36d93098ec9fccb4 


For iOS devices, the Location Data sub-view also displays the consolidated.db file [Location 
Services} contents here: /Library/Caches/locationd/consolidated. db. 
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For Location Services, three data types are displayed: Wi-Fi, Cell and Cell (Local). Wi-Fi 
information is collected from nearby Wi-Fi access points. Cell data is collected from nearby cell 
towers. 


Cell (Local) is data from cell towers the phone connects to. This data may suggest the phone's 
locations over time. Date and timestamp data is not always accurate, however, because Apple 
batch dumps much of this data into this database. Look at the timestamps and notice they are 
often the same. 


Each database record includes the type of Location Service (Wi-Fi or Cell], a UTC timestamp, and 
GPS latitude and longitude coordinates. If Location Services obtained geolocation data from a 
Wi-Fi signal, the Wi-Fi device Media Access Control [MAC] address appears. 


Geolocation data in the Location Data sub-view may be exported from a non-networked analysis 
machine to a networked machine and viewed dynamically using the Google Earth application. In 
the Content pane, use your computer's normal procedures to select a single record, several 
adjacent records, or several non-adjacent records. Open the context menu, select Export 
Selected Location Data As, then choose either KMZ or KML format. In the Export window, provide 
a name for the file, choose or create a destination folder, and then click Export. Inspector exports 
the GPS data to a .kmz or .kml file in the destination folder. 


Wi-Fi Sub-view 


At the top of the Content pane, click Wi-Fi. This sub-view shows Wi-Fi networks that the device 
has joined. Network SSID, BSSID, [signal] Strength, Security (open, WPA2, etc.), Last Joined, and 
Last Auto Joined information is also shown. 


Only networks that the device has joined are listed. Networks that are merely detected and 
shown as available are not part of this list. 
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Internet View 


The Internet view shows files associated with Safari, Firefox, Google Chrome, Internet Explorer, 
and Edge web browsers. This view includes Internet history from Windows and Mac computers 
as well as iOS and Android devices. 


In the Evidence section of the Component list, select a device. On the toolbar, click Internet. 
Internet files appear in the Content pane. By default, Inspector groups Internet log items by 
browser, so Firefox items will be grouped together, as will Safari and Google Chrome items. 


© Benne fistinspector = ua x 
D Edt Action Tags View Manage Window Help 


E EVIDENCE 


E E D Bennett-Computer-20. 


" © Browser Tite Location Date Created User Proj ^ 
E © Pacer- Data O Fr Josh Bennett 2012-08-10 17:51:02 (UTC) josh 
A E @Preboot e 1969 Boss Mustang 2012-08-10 17:5439 (UTC) josh | 
FS O Recovery e Auto Parts, Auto Part - Buy Auto P... fi 2012-08-10 17:55:38 (UTC) josh 
em O Fr Recently Bookmarked 2016-05-25 13:41:45 (UTE) e | 
EIS e Mobile Bookmarks 2018-12-14 14:06:00 (UTC) josh | 
| & @eoorane e placesort=8imaxfesults=10 2018-12-14 14:06:00 (UTC) josh 
e placetype=b8sort=1éétmacResults=19 2018-12-14 140601 (UTC) josh | 
E e bttps://vindecodereu/bmw 
I Evidence Status 
Export Status e 
Ki 
aimes @ shi btt://wwwaikinetia.ora/ BookmarksBer jesh | 


` Sai 
` ai 


Hex Strings Preview | Metadata Location ` A Record Data Fork 


CONTENT SEARCHES 


= Root 


EI INDEX SEARCHES x 
Field Value 


8 Children 


a syne Dictionary 
Bomb: 117807 > Title 


String ` 
FileSystem.. 8295255488 WebBookmarkF leVersion Number 1 
Name: Bookmarks plist WebBookmarilype String WebBockmarklypetist 
Path: /Users!josh/Library/Saf WebBookmarkUUID String 3385A208-A753-4916-934C-647215BBGBFA 
Size: 103279 


« > 
'20210304.231045-Sabde03 Da - /Racer ` Date/Users/josh/ibrary/Sefari/Bockmarks plist 


Inspector shows these items in sub-views. 


Item Description 


Bookmarks | A list of saved web addresses 


Cache Web documents (HTML pages, images] remembered by the users browser. 
Pages that are temporarily cached by a browser load quickly because data does 
not have to be accessed again from the Internet 


Cookies Files stored by a user's browser from a website that has been opened in the 
browser 


Downloads | List of files downloaded using a browser 


Form Data Personal data stored in an unencrypted database. May include credit card 
information, usernames, passwords, etc. 


History A list of websites that have opened in a browser 
Last A list of websites that opened in Safari during the last browser session. Used 
Session for crash recovery 
Recent A user's most recent searches 
Search 
Top Sites Safari's visual representation (thumbnail images] of Internet history 
228 
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These items are often stored as either a .plist file, within an SQLite database file, or INDEX.DAT 


files (in the case of Internet Explorer). 


e Inthe Content pane, select an Internet cache item. At the top of the File Content view, click 
Preview. Cache file contents [including cached pictures when available} display. 


Inspector includes analysis support for these browsers. 


Browser Supported Type 


Microsoft Internet Explorer vo - 9.0 


Client UrlCache MMF Ver 5.2 


Microsoft Internet Explorer v10, v11, Edge 
Mozilla Firefox v3 - 70 


Extensible Storage Engine (ESE) database 
SQLite and Cache Map 


Google Chrome v0.2 -78 


History and Cache 


Apple Safari Mac OS X v1 - 13.0.3 


Binary/XML History and Cache.db 
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Filtering on Internet Domain Categories 


Internet domains are automatically categorized according to a list created by Cellebrite. 
Accordingly, the filter options for the Internet views now include Internet Category. The list of 
categories is determined by the nature of the domains for internet artifacts ingested for the 
entire case. It can include a wide variety of categories in broad areas such as arts and 
entertainment, business and consumer, computers, electronics and technology, hobbies and 
leisure, and many more. 


This is a list of internet categories present for an example case. 


Arts and Entertainment/Animation and Comics 

Arts and Entertainment/Arts and Entertainment 

[Arts and Entertainment/Humor 

Arts and Entertainment/Music 

Arts and Entertainment/TV Movies and Streaming 

‘Arts and Entertainment/Visual Arts and Design 

Business and Consumer Services/Business Services 

Business and Consumer Services/Business and Consumer Services 

Business and Consumer Services/Marketing and Advertising 

Business and Consumer Services/Online Marketing 

Business and Consumer Services/Real Estate 

Business and Consumer Services/Shipping and Logistics 

Computers Electronics and Technology/Advertising Networks 

Computers Electronics and Technology/Computer Security 

Computers Electronics and Technology/Computers Electronics and Technology 
Computers Electronics and Technology/Consumer Electronics 

Computers Electronics and Technology/Email 

Computers Electronics and Technology/File Sharing and Hosting 

Computers Electronics and Technology/Graphics Multimedia and Web Design 
Computers Electronics and Technology/Programming and Developer Software 
‘Computers Electronics and Technology/Search Engines 

Computers Electronics and Technology/Social Networks and Online Communities 
‘Computers Electronics and Technology/Telecommunications 

Computers Electronics and Technology/Web Hosting and Domain Names 
Finance/Banking Credit and Lending 

Finance/Finance 

Finance/Financial Planning and Management 

Finance/Investing 

Hobbies and Leisure/Crafts y 


Internet domains that include sites with risk for malware and cryptocurrency, for example, 
appear in categories like these. 


e "Computers Electronics and Technology/Computer Security" for Bitcoin and malware 
e "Finance/Finance" for Dogecoin 


Productivity View 


On the toolbar, click Productivity. The Productivity view has two sub-views, Calendar and Notes. 


Calendar Sub-view 


At the top of the Content pane, click Calendar see calendar events and notes from the Calendar 
application [for macOS and iOS). 


Calendar events are displayed with time zone information. If Floating appears in the Time Zone 
column, the event is set to adjust the time zone automatically according to the devices clock. 
Notes associated with calendar events are displayed. They may contain contact names, phone 
numbers, directions, and so forth. 


Deleted calendar items appear in red italic font. 
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Notes Sub-view 


At the top of the Content pane, click Notes to see notes stored with the Notes application (for 
macOS and iOS) and the Stickies application. 


The Notes app on macOS and iOS has two storage options. Depending on the version of macOS 
and iOS, notes may be stored in notes.sqlite or NoteStore.sqlite. Notes can be stored locally on 
the device or in iCloud. iCloud notes are synced across devices that use the same iCloud 
account. 


The notes from the Stickies app are stored in ~/Library/StickiesDatabase. 


Inspector parses notes from notes.sglite, NoteStore.sqlite, and StickiesDatabase. Data is parsed 
into these columns in the Content pane. 


e Date Created 
e Date Modified 


e Title 
e Summary 
e Account 


e Source/Folder 


The Source/Folder column indicates where the note came from. Notes can be synced using 
Google and Microsoft Exchange. These are shown along with iCloud notes and locally stored 
notes. For data stored in Stickies, the Account and Source/Folder fields are empty. 


Parsed data can be sorted using any of the Content pane columns. When a note is selected from 
the list in Content pane, the note text appears in the Note Body section of pane for notes stored 
in notes.sqlite and NoteStore.sqlite. 


If a note has multiple attachments, you can see those attachments in the Note Body section. You 
can see the content of attachments by clicking on an attachment and viewing It in the Preview 
tab. You can see the content in the other tabs as well. 


When you tag a note, any attachments that are part of the tagged note are automatically 
included. 


Inspector displays deleted Notes records in red italic font. 
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With an item selected in the Evidence list, only the sub-views appropriate for the type of item are 
available. 


This chapter provides these topics about these sub-views in the System view in Cellebrite 
Inspector: 


e Registry 

e Spotlight 

e Windows Index 
e Dictionary 


e Applications 
e System Logs 
e Memory 


Registry 


The Windows Registry page on Wikipedia, https://en.wikipedia.org/wiki/Windows Registry, 
provides this information about the Windows Registry las of April 2021). 


“The Windows Registry is a hierarchical database that stores low-level settings for the 
Microsoft Windows operating system and for applications that opt to use the registry. The 
kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the 
registry. The registry also allows access to counters for profiling system performance... 
There are seven predefined root keys, traditionally named according to their constant handles 
defined in the Win32 API, or by synonymous abbreviations (depending on applications): 

e HKEY_CLASSES_ ROOT (HKCR) 

e HKEY_LOCAL_MACHINE (HKLM) 

e HKEY_CURRENT_CONFIG (HKCC) 

e HKEY_USERS (HKU) 

e HKEY_CURRENT_USER (HKCU) 

e HKEY_PERFORMANCE_DATA (only in Windows NT, but invisible in the Windows Registry 

Editor) 
e HKEY_DYN_DATA (only in Windows 9x, and visible in the Windows Registry Editor)” 
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To see Windows Registry files in Inspector, first select a Windows device in the Evidence section 
of the Component list. On the toolbar, click System > Registry. Inspector shows Registry keys 
hierarchically by root-level hives/files. 


HY Registry Q Spotlight B Dictionary X Applications RB System Logs z Memory 


TAN Significant SheliBags +|- 
Key Name Value Count Last Write Time Name Type 

© @ BOOTCAMP (vSC 2) A| \YAVolume{003cdec6-9e2e-11e5-bd88-7cd1c3dec330} REG_BIN, ^ 

3 @HKM o 1601-01-01 00:00:00 (UTC) \?7\Volume(021d5819-5b57-11e5-ad17-206e6*6e6963) REG_BIN. 

a @sam 0 2009-07-14 04:45:46 (UTC) \??\Volume{0462ed7f-7572-11e8-b019-7ed1c3dec330} REG EN 

@ @SECURTY D (2018-07-11 17:18:48 (UTC) ‘\??\Wolume{ 1cdeebad-f838-11e5-bd18-e53616f7d78e} REG DIN. 

m @ SOFTWARE o 2018-06-21 17:46:32 (UTC) \AVolumef289744c9-47f1-11e5-ab23-fdc27028108e) REG_BIN. 

B Ø@sSYSTEM H 2018-07-11 17:18:35 (UTC) \??\Volume{2c1b16bb-909e-11e6-a9e9-83a11146fb2f} REG DN 

B @QActivationBroker 0 2018-06-21 17:46:32 (UTC) \??\Volume{2c1b16ca-909e-11e6-a9e9-83a11146fb8f} REG EN 

E © Controlset001 o 2018-06-21 17:46:34 (UTC) |) \YAVolumef2c5fe03b-9217-11e5-b84c-af93c3c9c2ba} Sr E 

© DriverDatabase 5 2018-07-11 17:30:48 (UTC) Vi ime{480110b8-2ffe-11e5-9e93-9e34cBbca2d2} REG_BIN 

© HardwareConfig 2 2018-07-11 17:18:35 (UTC) \??\Volume{4fc1d384-d99c-11e5-821c-Bed5942a608e} REG BIN. 

@ input o 2018-06-21 17:46:33 (UTC) \AVolumef4fc1d38b-d99c-1 1e5-821c-8ed5942a608e} REG_BIN 

B @ Keyboard Layout H 2018-06-21 17:46:33 (UTC) \??\Volume{4fc1d39a-d99c-11e5-821c-Bed5942a608e} REG DN 

DOM 1 2018-06-21 17:55:52 (UTC) \??\Wolume{5c58ea30-25e9-11e7-b00f-7cd1c3dcc330} REG_BIN 

A EIER 

2 2018-06-21 17:46:33 (UTC) AAVolumef63545cea-c394-11e6-8c05-fb7464ad7991) REG_BIN 
H 2018-06-21 17:46:33 (UTC) D \??\Volume{63545cef-c394-11e6-8c05-fb7464ad7991} REG_BIN y 


Z Record Cs 


View In External Application | 


Reveal File On Disk ` 


Windows Registry files often contain important forensic evidence such as usernames and 
passwords, Internet browser artifacts, recently accessed files, installed applications, uninstalled 
applications, etc. They have two basic elements: keys and values. Keys are container objects that 
are similar to folders, and values are non-container objects that are similar to files. 


The Registry is full of places to look for important data. One of the simplest ways to locate the 
data is by searching the Registry for a value or a key or both. The Find option allows you to 
quickly search keys, values, and data. It is possible to keep searching for the next occurrence of 
a specified text string. 


Use the Find keystrokes for your computer's operating system to open the Registry Find dialog 
window. This searches through every Registry item beginning with the currently selected 
Registry key. 


By default, the Registry sub-view displays the most common root keys and sub-keys. You can 
view additional Registry keys, including those that contain backup Registry files, Registry logs, or 
incremental updates that may or may not contain relevant data. 


To see all Registry items, at the top of the Content pane, click All. Inspector shows every Registry 
file on the system. All files except the key files appear under the Other root key. 
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You can also see an abridged Registry key set. At the top of the Content pane, click Significant. 


Unlike the All tab, the Significant tab shows only keys that most often contain important forensic 
evidence, such as usernames, passwords, and browser history. Hover over a Registry item in this 
view, and a tool tip appears with information about the item. 


v @NetworkCards 
|Maintains a list of network adapters; the list is held in numbered subkeys. | 2015-06-12 11:51:21 (UTC) 

V gunman 
(©)159439476E3A00F9FAE49DD6C1A78F2F6288A5B9 
(©)1A9F109A8ACEE4CA1F898708DBBOFBAGEFO587FC 
(C1FCF3C93707C46D648FOBO0E216A55E96DEB5A17 
©2771 5E06EGEEB458048F41BCB8FB843B3241E95 
Æ 2D6DDDCF8961C8C866F6660579A59B5B6CFA281F 
(©)551732BB0872DA97E26385C221 B172ASBD4DE93C 
(©C)57AFA39B22ADEC4E383572E9331167546EB3C9C7 
(©)5BEFO8C10896D86DC13394FFA75874564B700368 
(©)742CB1BDA52EA9F1BBE482DA6DAA1794.4652B476 
(©)75E64992A03EC5E73D33586790CC506561DCC5DB 
(©)969EFE1D5E95B01D3C42B9D0363FAG4AF9E336E7 
Æ 9EBC96DD99F2C854D540FBF6A16A557BADDBC228 
Œ A5E73046BA905B7B0235AB40FA98A4E3AB96E00E 
@ÆABCCA6C3F97A148D7C69114CB55DFA9D46053BEA 


2015-06-12 11:52:32 (UTC) 
2015-06-12 11:51:39 (UTC) 
2015-06-12 11:54:38 (UTC) 
2015-06-12 11:52:11 (UTC) 
2015-06-12 11:51:33 (UTC) 
2015-06-12 11:52:12 (UTC) 
2015-06-12 11:52:32 (UTC) 
2015-06-12 11:52:32 (UTC) 
2015-06-12 11:52:11 (UTC) 
2015-06-12 11:51:34 (UTC) 
2015-06-12 11:51:58 (UTC) 
2015-06-12 11:51:59 (UTC) 
2015-06-12 11:51:23 (UTC) 
2015-06-12 11:50:50 (UTC) 


aranana anann om o 


You can add items to the Significant view. Click your choice of Default, All, or Significant sub- 
views. Select an item in the list and click + (add) in the top right next to Add/Remove From 
Significant Items. Navigate to the Significant view if not already there. The added item is shown 
at the bottom of the list of Registry items. To remove an item from the list, select it and click 

- (remove) in the top right next to Add/Remove From Significant Items. Preset Registry items 
cannot be removed from the Significant list. 


Shellbags 


Shellbags are a type of Windows Registry key that may provide useful information, including a 
user's display preferences for a folder, timestamps for when a folder was first visited and last 
updated, and sometimes information about deleted folders. 


In the toolbar, click System > Registry > ShellBags. 


All Significant ShellBags 


Name Type Bag Path Slot Created Date Field Value 
mr DE BOOTCAMP (VSC 1) al Path | Desktop\My Computer (This PC)\Unkno... ^ 
=) (BOOTCAMP (Active) 
2 Diech Last Write Date | 2018-06-21 17:55:36 (UTC) 
© A E SheNBagMRU 
© Desktop Type ID 31 
© Æ Control Panel (Category View) System Folder BagMRU\O 1 
SD Computer (This PC) System Folder BagMRU\I B Extension Blocks 
a Dën Volume BagMRU\N0 6 Signature  OxBEEFOOO4 
E (WM Unknown CLSID: f0d63f85-37ec-... Root Folder: GUID BagMRU\I\1 8 Size 80 
(Gj Œ Unknown CLSID: 088e3905-0323... Root Folder: GUID BagMRU\I\IO 171 Version Offset 22 
m E E Unknown CLSID: 939ce936-01d2... Root Folder GUID ` Seat 173 d Version 9 
a DC, Volume BagMRU\N\2 32 OS Version 8.1 
a (a) Nexus 5 Root Folder: MTP D.. Sean? 43 System Identifier 2E 
gens? Root Folder: MTP D.. BagMRU\T\4 ` e MFT Entry Number | 3325 
a MMNewss Root Folder: MTP D.. BagMRU\I\5 ` MFT Sequence Number 7 
a DEN Volume BagMRU\\6 115 File System | NTFS 
a cr Volume BagMRU\N\7 ` mg Long Name | Uploads 
E (WH Æ Unknown CLSID: 24ad3ad4-a569... Root Folder: GUID BagMRU\\8 169 Localized Name Upload 
= B iCloud Photos Directory BagMRUNIS\O 192 2017-03-30 15:54:12 (UTC) Date Created | 2017-03-30 15:54:12 (UTC) 
Directory Bag o 19: Date Accessed | 2017-04-20 16:52:12 (UTC) 
E EP Deskton Root Folder: GUID BaoMRU\\9 170 S 
z Z Ml egent egene 


Available shellbag information appears in the left pane. Select one of the folders in the list to see 
metadata pertaining to the shellbag in the right pane. Metadata is also shown in the File Content 
view if the Metadata tab is selected. 


You can apply Filters to the shellbag data by clicking Show/Hide Filter and applying filter 
parameters. Individual items or groups of items can also be tagged. 
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Spotlight 


Spotlight is Apple's indexing tool built into macOS and iOS. Spotlight data is stored at the root 
level of any volume that has touched a macOS system. This is known as the System Level store 
and contains metadata for files on the volume. Spotlight may also store indexed file content in 
cache text files located at / Spotlight-V100/Store-V2/< UUID>/Cache. For macOS volumes, data is 
also parsed from the Spotlight stores listed in each user's Library folder. Spotlight files on 10S 
devices, stored in /private/var/mobile/Library/Spotlight/CoreSpotLight, are also parsed. 


To see data parsed from Spotlight, in the toolbar click System > Spotlight. 


HF Registry Q, Spotlight RB Dictionary X Applications @ System Logs pp Memory 


. 


© @ Date Updated File Name Display Name Kind Description 

© 2020-05-20 22:40:21 (UTC) 

© 2020-05-20 22:40:00 (UTC) 

© 2020-05-20 22:39:59 (UTC) com_apple MobileAsset_ Proactiv.. com_apple MobileAsset_ProactiveEvent... XML document 

© 2020-05-20 22:39:51 (UTC) Safari history item Imr.com/products/how-to-install-s550-cat-back-exhaust-systent 

@ 2020-05-20 22:39:50 (UTC) 
2020-05-20 22:39:49 (UTC) PG: 


list Index Map Key Value 


2020-05-20 22:39:48Z 
2019-10-08 16:33:18Z 


POOCOOGOe 


The data contained in Spotlight varies depending on the artifact you are viewing. The Content 
pane is split into two sections. The top portion contains columns of data with information parsed 
directly from the database and data parsed from the Spotlight metadata keys. The first column, 
Date Updated, and the columns all the way to the right (Item ID, OID, Parent OID, and Cache File/ 
correspond to data contained in the Spotlight database. Between these columns is the 
information parsed from the Spotlight metadata keys. For example, the Spotlight metadata key 
_kMDitemFileName is displayed in the File Name column. The very last column, Source, contains 
the name of the Spotlight database the information was parsed from. The bottom portion of the 
Content pane lists all of the Spotlight metadata values parsed for each entry. Since Spotlight 
metadata varies, not all metadata items listed at the bottom will have a corresponding column at 
the top of the Content pane. 


Parsed Spotlight databases on macOS systems typically contain a lot of entries. In the example 
above, there are over 240,000 parsed entries. Filtering can be performed on any of these 
categories. 


e Account Handles e Description 
e Account Identifiers e Display Name 
e Account Type e External ID 
e Bundle ID e File Name 
e Cache File e ltem ID 
e Content Creation Date e Kind 
e Content Modification Date e Last Used Date 
e Content Type e OID 
e Content URL e Parent OID 
e Creation Date e Source 
e Date Added e Storage Size 
e Date Updated e Use Count 
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For some Spotlight entries, OID corresponds to the inode of the file listed in the entry. If there is 
more than one record containing metadata for the same file by OID [inode], examining both 
entries can provide insights into how files on the system were changed. In File Filter, a filter by 
FS ID can be used to find the file with the corresponding inode number. 


Ki Registry Q, Spotlight E Dictionary X Applications @ System Logs I Memory EJ 
© date Updated ~ Display Name Kind Description Use Count Last Used Date Creation Date Content Creation Date $ 
2020-05-20 23:04:48 (UTC) 0 o Unknown document 2020-05-20 23:04:47 (UTC) 2020-05-20 23:04:47 (UTC) Í 


2020-05-20 23:04:40 (UTC) 


2020-06-20 23:04:12 (UTC) AddressBook-v2.. AddressBook-v22.abed,. Document 2014-01-10 16:06:06 (UTC) 2014-01-18 15:06:06 (UTC) 
2020-05-20 23:04:07 (UTC) SyncSnapshot.plist SyncSnapshotpist property list 2020-05-20 23:04:06 (UTC) 2020-05-20 23:04:06 (UTC) 
2020-06-20 23:04:05 (UTC) ADAssistantChon.. ABASSİstantChangelog.a... Document 2014-01-10 16:06:30 (UTC) 2014-01-18 15:06:30 (UTC) 
2020-05-20 23:03:58 (UTC) comapplesir.ap... com-apolo.siriapplicatio... property list 2020-05-20 23:03:56 (UTC) 2020-05-20 23:03:56 (UTC) Í 


2020-05-20 23:03:67 (UTC) sync.timestamp sync, timestamp Unknown document 2016-10-26 10:52:32 (UTC) 2016-10-26 10:62:32 (UTC) 


2020-05-20 23:03:56 (UTC) 6BB4FBAS-6087.. card Contacts Group Data 2014-01-18 22:34:54 (UTC) 2014-01-18 22:34:54 (UTC) 


2020-05-20 23:03:50 (UTC) B3456E71-70F5-4406-... Document 


2020-05-20 23:03:55 (UTC) 


B3456E71-70F5-. 2014-01-18 22:34:54 (UTC) 2014-01-18 22:34:54 (UTC) 


SyncAnchor SyncAnchor Unknown document 2020-04-07 12:51:02 (UTC) 2020-04-07 12:51:02 (UTC) 


2020-05-20 23:02:31 (UTC) full.browsing_ses... full browsing.session.re... property list 2017-11-29 20:68:54 (UTC) 2017-11-29 20:58:54 (UTC) 
2020-05-20 23:00:08 (UTC) Records.db Records.db Document 2019-09-20 16:00:31 (UTC) 2019-09-20 16:00:31 (UTC) 
2020-05-20 22:58:48 (UTC) Records.db Records.db Document 2019-09-23 20:40:22 (UTC) 2019-09-23 20:40:22 (UTC) ` 


To locate Spotlight cache text files, find the entries with data stored in the Cache File column. To 
see the cache file itself, open the context menu on the cache file, then select Reveal 'Cache File' in 
File Browser. 


Registry Q Spotlight B Dictionary X Applications E system Logs Im Memory = 
Date Updated File Na ` Display Name Kind Description Use Count Last Used Date Creation Date Content Creation Dat 
2020-05-19 21:23:28 (UTC) BMKirangHaerang-Regular... BMKirangHaerang-Regu... Document 2020-01-07 01:00:50 (UTC) 2020-01-07 01:00:60 
2020-06-19 21:23:28 (UTC) BMKirangHacrang-Regular.... BMKirangHaorang-Rogu... Document 2020-01-07 01:01:15 (UTC) 2020-01-07 01:01:15 


2020-05-19 21:23:14 (UTC) BNR Unknown document 2019-08-24 23:05:37 
2020-05-19 21:23:23 (UTC) 
2020-04-14 16:02:01 (UTC) 


2019-10-08 16:29:41 (UTC) 


BMR 2019-08-24 23:05:32 (UTC) 


bmtool.1 bmtool.1 Document 2019-08-25 00:55:21 (UTC) 2019-08-25 00:55:21 


BMW 1 serios GT, Parallel P.. BMW 1 series GT, Poel. Apple MPEG-4 movie 2012-02-06 16:46:20 (UTC) 2012-02-05 16:46:20 


bmw.alroagJpg.Jpa ‘bm. teg rä JPEG Image -2321:52:46 (UTC) 2015-11-23 21:52:46 


2019-10-08 16:29:41 (UTC) 2015-1-23 21:52:46 


2019-11-04 21:10:31 (UTC) 


bmw.060.e61.rodondojpg  bmw.e60.061_redondo. 


BM 


JPEG image La 21:52:46 (UTC) 


fo.odg 


2019-10-08 16:29:42 (UTC) bmw wheeling Copy xc? 2015-09-14 23:09:07 (UTC) 2015-09-14 23:09:07 
2019-10-08 16:20:42 (UTC) bmwaxhaust-jpg H 2015-09-14 23:09:07 (UTC) 2016-09-14 23:09:07 
2020-05-19 21:22:20 (UTC) BMWwheol:rtt Ge ger mme 7 2020-04-18 21:26:88 (UTC) 2018-09-14 23:17:33 (UTC) 2015-09-14 23:17:33 
2020-04-14 16:02:01 (UTC) BMWwheel.rtt Find Next RG woer 29 2019-02-26 13:32:40 (UTC) 2015-09-14 23:17:33 (UTC) 2015-09-14 23:17:33 
2020-06-19 21:23:20 (UTC) BMYeongSung-Regular, font 2019-06-21 23:55:63 (UTC) 2019-05-21 23:65:53 
2020-05-19 21:28:28 (UTC) BMYeongSung-Regular: Saye File Listing. 2020-01-07 01:00:41 (UTC) 2020-01-07 01:00:41 
2020-05-19 21:28:28 (UTC) BMYeonaSuna-Reaular, Copy Path 2020-01-07 01:01:15 (UTC) 2020-01-07 01:01:15 
2020-05-19 21:23:28 (UTC) BMYaongSung-Rogular. Quick Look SL 2020-01-07 01:00:45 (UTC) 2020-01-07 01:00:45, 
Find Identical Files 
2020-06-19 21:28:28 (UTC) BMYeongSung-Regular, 2020-01-07 01:01:15 (UTC) 2020-01-07 01:01:15 
2020-06-19 21:23:14 (UTC) _BN Export > 2019-08-24 23:32:35 (UTC) 2019-08-24 23:92:38 
File On Disk 
mm lull File In File Browser 
d Tag Apple Spotlight As El Fein Disk View 


_kMbItemContentChangeDate 2016-08-25 13:54:202 


_kMDItemCreationDate 2016-05-26 13:54:797 
_KMDItemCreatorCode 


Reveal File’ in File Browser 


_KMDItembisplayNameWithExtensions BMW_Infotainment.docx 


_kMDItemFileName BMW.Infotainment.dock 


Spotlight is also known to index content such as calendar entries, Evernotes, email, and 
reminders. Snippets of content from these sources can be found in the parsed Spotlight data. 


HF Registry Q, Spotlight M Dictionary X Applications H SystemLogs z8 Memory E 

© Dato Updated File Namo > Display Name Kind Description Use Count Last Used Date Croation Dato Content Creation Dat 
2020-05-19 21:23:18 (UTC) veel DE Document 2019-08-25 o1:1:00 (UTC) 2019-08-25 01:11:00 
2020-06-19 21:29:21 (UTC) jaa DEE Document 2019-09-04 02:39:00 (UTC) 2019-09-04 02:38:0¢ 
2020-05-19 21:23:18 (UTC) Text@2xpn9 Text@2xpng PNG image 2019-09-17 04:43:50 (UTC) 2019-09-17 04:43:50 
2020-08-27 22:16:20 (UTC) text Ont Ia änt NstringPboardType 2016-12-07 1712:04 (UTC) 2015-12-07 17:12:04 
2020-05-19 21:23:17 (UTC) en ae ze toxtalign-H.eonter Naif TIFF image 2019-08-25 02:24:08 (UTC) 2019-08-25 02:24:08 


2020-05-19 21:23:17 (UTC) textalign-H.center SN _text_align-H.center_S.tit TIFF image 2019-08-25 02:24:08 (UTC) 2019-08-25 02:24:0E 


Key A Listindex Map Key Value 
_hwpitemFinderLabel o 

_kwDitemFromimporter tue 
_kwDitemGroupid 


_kMoiteminterestingDate 2015-12-07 17:12:082, 


_kMOitemisExtensiontidden false 
_kMDItemOwnerGroupiO 20 
kMDitemOwnerUserID 501 


‘StorageSize 378 
_kMbitemTextContentindexExists true 
_kMDitemTextEncodingHint 134217084 


_kMDItemTypeCode 


‘com apple. mail dateReceived 


Cen tie mal steen 


Cem _apple_mailisRemoteattachment 


‘comapple.mail transaction 


kMbitemAccountldentifier 


KaabitemContentCreationDate 


kibitemContentCreationDate Ranking 


k¥bitemCententModificationDate 


KMDitemContentModificationDate Ranking 
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2015-11-23 22:38:347 
2016-11-23 22:36:312 

false 

2626 
98936521-EAC7-4961-9648-21876308743F 
2015-12-07 17:12:002 

2015-12-07 00:00:002 

2015-12-07 17:12:042 

2015-12-07 00:00:002 
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Tagging Spotlight Data 


If a Spotlight data entry is tagged In the top portion of the Content pane, all Spotlight metadata 
values parsed shown in the lower portion of the Content pane are automatically tagged. 


KE Registry Q, spotlight ‘Dictionary X Applications ` Baton Logs sm Memory 


it 


Date Updated Display Name Kind Description Use Count Last Used Date 


2020-05-19 21:23:18 (UTC) 
E 20 (UTC) 


2020-05-19 21:23:17 (UTC) 
2020-06-19 21:23:17 (UTC) 2019-08-26 02:24:08 (UTC) 2019-08-25 02:24:0£ 
2020-05-19 21:23:17 (UTC) 


2020-05-19 21:23:17 (UTC) 


2019-08-25 02:24:08 (UTC) 2019-08-25 02:24:08 


2019-08-26 02:24:08 (UTC) 2019-08-25 02:24:06 


Koy ^ Listindex Map Key Value 
_kMoItemBundlelD com.appie.mali 
2015-12-07 17:12:04Z 


2015-12-07 17:12:04Z 


up 


_kMoitembisplayNat 


text gr 
198936521-£AC7-4961-0648-21876308743F.3 
2247-05-05 01:16:18.8713451522 
attachment:13 

text Out 

o 

o 

DÉI 

14 

2015-12-07 17:12:042 


Missed your birthday, sorry. Hope it was wild! Guess maybe lIl see you next month with the boys. Drinks on me 
378 

true 

134217984 


In the Report, the information parsed in the upper portion of the Content pane is shown together, 
followed by a separate table for each Spotlight metadata values parsed for that entry. 


One entry tagged in the top portion of the Content pane can result in numerous tagged items 
since all parsed Spotlight metadata values shown in the lower portion of the Content pane are 
automatically tagged. 


Unfortunately, the reverse is not so easy. If an entry tagged from the top portion of the Content 
pane is removed, the corresponding parsed metadata values in the lower portion of the Content 
pane are not removed from the tag. To remove all of the tagged data, select all of the tagged 
entries in the lower portion of the Content pane, open the context menu, and then click Remove 
Apple Spotlight From Tag Group. 
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Windows Index 


For Windows 10 computers you can automatically parse data from the Windows 10 search index 
and add file metadata to the associated files after processing. On the Add Evidence window for 
the Extract Data processing option, select Actionable Intel. Data is automatically parsed from the 
Windows 10 search index and file metadata is added to the associated files after processing. 


To see the result, click System > Windows Index. Keys and values appear for each selected item 
type. If Windows metadata is available for a selected file, you can see it in the Windows Metadata 
section in the Metadata view. 


HE Registry Q, Spotlight X Applications B System Logs mm Memory E 


e 


Item Type Path 

File folder /SWINDOWS.~BT/Sources/Windows 10.0-KB4517388-x64/zh-tw 
@ File folder /$WINDOWS.~BT/Sources/Windows10.D-KB4517388-x64/zh-cn 
File folder /SWINDOWS.~BT/So ws 10.0-KB4517388-x64 

File folder /SWINDOWS.~BT/So1 10,0-KB4517388-x64/uk-ua 
File folder /$WINDOWS.~BT/So1 0-KB4517388-x64/tr-tr 


11-System FileName ESO 
14F-System FileAttributes 8208 
15F-Syst lodified 2019-11-05 10:44:27.3405752-07:00 


Bi ne Œ Strings [Preview | Metadata @ Location d Record 
Field Value 
BBTID: 87808 
FileSystemID: 8164 4 
Name: Windows.edb 


Dictionary 


On the toolbar, click System > Dictionary. The predictive text data from the dynamic dictionary 
database is displayed. This database file stores user-entered text strings typed on the keyboard. 
This may include usernames, web passwords and other login credentials, website URLs, and text 
from SMS and email messages. Depending on the device and operating system, these text 
strings may be stored in the chronological order they were typed. 


If a user stored passwords in an unsecured application, such as the Notes application, or 
accidentally typed a password into the wrong field on a login form, the text containing the 
password may be stored in this file. The iOS operating system does not store passwords that a 
user typed into a designated password text field. 


The text in this database file can be used to potentially aid in cracking passwords on the device. 

In the Content pane, select one or more dynamic text entries. Open the context menu and select 
Export as CSV. Select a file export location and click Export. A text file containing all the selected 

words is saved. 
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Applications 


There are about 900,000 applications available from the Apple App Store. Cellebrite Inspector 
provides a uniform way to view these applications and application bundle contents during a 
forensic examination. 


On the toolbar, click System > Applications. The Applications sub-view shows a comprehensive 

list of user-installed third-party applications and their icons. Select an application from the list 
at left. The middle pane shows the application bundle contents, and certain application data is 
parsed and shown in the right pane. The data in the right pane may include a username, email 
address, app version, and last login date. 


In the middle pane, when you select a file associated with an application, such as a PDF, image 
file, or database, the file appears in the File Content view. To examine the files using different 
views, scroll through the Hex, Strings, Preview, Metadata, and Quick Look (Mac only] views at the 
top of the File Content view. Select a column heading to sort specific application files by Name, 
Date Created, Date Modified, Date Accessed, Date Added, or Size. 


HY Registry Q Spotlight BB Dictionary X Applications B System Logs e Memory = 


Date Created Date Modified 


% @ Application ^ | Name 
© Remove = DO" Skypeapp 2013-04-05 18:05:17 (UTC) 2015-10-01 17:48:52 (UTC) 
2013-04-05 18:15:21 (UTC) 2013-04-05 18:15:21 (UTC) 


Ə Brem 


Ə Bemp 

@ G Rename 

© D Stat 

@ E Samsung CLP-320 
© E Samsung Scanner 
© D seno 


2013-04-05 18:15:21 (UTC) 2013-04-05 18:15:21 (UTC)| | 


2013-04-05 18:05:13 (UTC) 2013-04-05 18:05:13 (UTC)| 
2013-04-05 18:04:31 (UTC) 2013-04-05 18:04:31 (UTC) 
2013-04-05 18:15:21 (UTC) 2013-04-05 18:15:21 (UTC) 
2013-04-05 18:04:31 (UTC) 2013-04-05 18:04:31 (UTC) 


2013-04-05 18:13:56 (UTC) 2013-04-05 18:13:56 (UTC)| | 


Josh Bennett 
Saturday, November 22, 1980 
Toronto 


© GD Shareaza 1 2013-04-05 18:15:21 (UTC) 2013-04-05 18:15:21 (UTC) | 
© E Shareaza ™ icon 2015-10-01 17:48:52 (UTC) 2015-10-01 17:48:53 (UTC)| | Emal jbennett_mac@me.com 
e Show Info | Gender Male 

O Lo Skype | Languages en 

© O Tm Skype ID josh.bennett94 

© D Tm Timezone GMT-4 

© @ Witter 

@ E Uninstall Informat) 
© Ü Uninstall Informat! 
e UNP 


GJ 
LittleEndian v 


Applications like Facebook and Skype store contact and conversation data in database files. 


If third-party application information is important, be sure to perform a forensic image 
acquisition (using third party software) or a logical data acquisition when adding iOS data toa 
case. 


System Logs 


In System View, System Logs offers views of File System Logs and Unified Logs. 
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File System Logs 


Inspector parses system logs from both Windows and macOS computers. The File System 
Journal Analysis processing option parses the $Logfile, containing disk activity, and $USNJRNL, 
the change journal file, on Windows computers and .fseventsd on macOS. The OS Event / 
Security Logs processing option parses Windows event logs [EVT and EVTX), macOS Apple 
System Logs [ASL], and Unified Logs. For more information, see Adding a Disk Image. 


Once these processing options are run, you can see the results in the System Logs sub-view of 
the System view. 


On the toolbar, click System > System Logs. In the list to the lower left, click System Logs. The 
Content pane is divided into sections. On the left side, the upper pane lists parsed File System 
Logs. The lower pane lists parsed System Logs. The right side of the Content pane shows the 
item selected on the left. 


HEF Registry Spotlight M Dictionary X Applications §@ System Logs um Memory = 


File System Logs ~% @ Source File ~ Date Fields Flags up 
2020-05-20 22:28:17 (UTC) message: objc[406]: Class NCISONTransf 
FETTET 


is impl.. 2 501 
£ V 2020-05-20 22:28:17 (UTC) 
@ 2020.05.20.G80.asl 2020-05-20 22:28:17 (UTC) 
@ 2020.05.20.680.asl 2020-05-20 22:28:17 (UTC) m 
en 2020.05.20.G80.asl 2020-05-2022:28:17 (UT) m 
@ 2020.05.20.G80.asl 2020-05-20 22:28:17 (UTC) 
@ 2020.05.20.680.asl 2020-05-20 22:28:17 (UTC) m 
ED 2020.05.20.680.as1 2020-05-20 22:28:17 (UTC) __ message: Quittina Pro 


NNNNNNN 
e e e e e e off 


le 
Full Fields Content: 
Let. message: The connection was interrupted, calling interruption handlers 


Si en Strings [Preview $ Metadata @ Location M Record Data Fork 


View In External Application 


Reveal File On Disk 


Unified Logs 


As of macOS 10.12, Apple introduced the unified logs format. This was done to have a common 
log format across all Apple operating systems, including macOS, iOS, watchOS, and tvOS. Unified 
logs are parsed with the OS Event / Security Logs initial processing option or Events/Logs from 
Evidence Status. 


The amount of data stored in Unified Logs is massive. During times of intense activity, 10,000 
records can be added to the logs In a minute. This can result in millions of records in Unified 
Logs. Loading millions of records into Cellebrite Inspector and manually reviewing them could 
take a significant amount of time. Therefore, you must filter Unified Log records for data of 
interest. 


To see unified logs, on the toolbar click System > System Logs. Then, in the list to the left, click 
UnifiedLog. The Content pane is divided into sections. On the left side, the upper pane lists 
parsed File System Logs. The lower pane lists parsed unified logs. 
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Unified Logs do not load automatically. Instead, Inspector presents a message showing the total 
number of records and requiring you to apply a filter to view them. The filter pane automatically 
appears on the right side of the Content Pane. 


HF Registry Q Spotlight BB Dictionary X Applications 


KI 
2 
H 
3 
H 
H 
ia 


File System Logs bO Date Message Process Maree. Process Path Match: All 
Reset.. || Apply | [E 
Date — beach ~| [> 
5/20/2021 ~ “2 
Apply filter to view records. 
7,258,326 records. 


System Logs 
UnifiedLog 
ASL 


< 
Full Fields Content: 


Log records can be filtered by these options, parsed for each record. 


e Any [any string) 


e Date 
e Type 
e UID 
e PID 


e Process Name 
e Process Path 
e Sender Name 
e Sender path 

e Message 


e Offset 
e Subsystem 
e Category 


e Signpost Name 
e Signpost Info 


Filters can be created for records during a timeframe of investigative interest. Dates in Unified 
Logs records are stored in the Cellebrite Inspector database down to nanoseconds, and records 
appear in microsecond precision. Sorting with the Date column shows the records in order by 
timestamps. The Date column is the only sortable column for Unified Logs. 


Unified Logs may contain data regarding time machine backups, time zone changes, external 
media mount and unmount, or connected printer. 


Due to the volume of Unified Log events, they are not included in the smart index. Any USB 
device information parsed from Unified Logs is also added to the Actionable Intel view. 
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Memory 


For the contents of a memory file to be parsed and displayed, advanced processing options must 
first be run. For more information, see Adding a Memory File. 


Once advanced processing has been run on the memory file, the contents can be viewed in the 
Memory sub-view. 


On the toolbar, click System > Memory. 


Y EVIDENCE La E Registry Q, Spotlight (HE Dictionary «XX Applications ` Baseng ` Memory 


ž 
Y A E Bennett-Computer-20052. 
an ele 
reste ` Switch oat it view to sea tha tered resus 
m [nuro Joo mave an ` 
SEE a DEE eens tuntaens re ‘ 
—— “o coir nao esses ure) 2017:04:20 16587 (UTS) 
Beemer se ass Ee < 
vast 2017-00-20 10550 TE) ‘ 
JE assa rm EEN 
ee nee 2017-08-20 e523 UTC) CP FiesitunesTunestitper ee f 
es em ` ee or 
mse ` zm EE S 
mvesronnvenores DR ze mse 207-00-20 e727 re) : 
sine sce st7 94 20 0081 re) ‘ 
wm ` mme amm-os-zo iwez um cca Seventeen € 
Ss 207-08 20 nessas TCI epegbepreegierbttegegien € 
per Slated Process Olara Spier Cette 
eme Sale Process ane creste Dt Pont procol ` ten es fara a 
O sa AppleMobileDev 2017-04-20 16:57:27 (UTC) 49856 TCPvA 1270.01:49856 7270.01:27015 27015 ESTABLISHED 
O sa AppleMobileDev 2017-04-20 16:57:27 (UTC) 16528 UDPV4 127.0.0.1:16528 hl O OPEN 
© saat ‘AppleMobileDev 2017-04-20 16:67:27 (UTC) 16528 UDPv4 127.0.0.1:16528 Ké O OPEN 


Size: 6163529728 


SlzeOnDick: 6163529728 


(101 96) - Bennett-Mem des 


The Memory sub-view provides these deeper views for analyzing memory file artifacts. 


e Processes 
e Libraries 
e Sockets 

e Handles 

e Drivers 


Select one or more processes from the upper pane in the Processes sub-view, and any libraries, 
sockets, and handles associated with the selected processes [like having the same PID] appear 
in the lower pane. To see these artifacts in those views, click Libraries, Sockets, or Handles. 
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Actionable Intel View 


The Actionable Intel view in Cellebrite Inspector allows you to see various types of data points 
that can mostly be attributed to a user's actions. The Actionable Intel view provides a tree style 
menu with sub-view menus. 


This chapter provides these topics about the Actionable Intel view. 


e = Insights 
e Activity Correlation 


Insights 


The Insights view in Actionable Intel provides views of these types of information. 


e = Search 

e Device Backups 

e Device Connections 
e Account Usage 

e Downloads 

e File Knowledge 

e Passwords 

e Program Execution 


For certain item types in the Insights view under Actionable Intel, when you select part of a file's 
content in the lower portion of the Content pane, the corresponding content is also highlighted in 
Hex view. It also appears in the related Data Interpreter view as a String. 


3 @ File knowledge (1434. ^| $ @ Arrival Time ` Expiry Time Application 
EE SS es 
G Recent File Cache (0) EE? ii iii 
E Recent ems (950) @ 2018-06-21 180151 U. Microsoft. Messaging 8wekyb3d8bbwelx27e26f40ye031y48a6yb130yd1f203B8991ax 
B Trash Items (8) @ 2018-06-21 18:17:04 U.. Microsoft. Messaging 8wekyb3d8bbwelx27e26f40ye031y48a6yb130yd1f20388991ax 
5 # Passwords 284) @ 2018-06-21 181704 U.. Microsoft. Messaging 8wekyb3d8bbwel27e26f40ye031y48a6yb130yd1f20388991ax 
Ge Apple FS e @ 2180711 1727400. MicrosofUMicrosoftOrficeHub_BwelybdbbwelMicrosoftMicrasoftOrticeHub 
5&8 Program Execution (7,022) 
Ge @ 2019-11-05 164251 U. 2019-11-08 164251 (U.. Microsoft- Office. OneNote Bwekyb2d8bbuelmicrosoftonenoteim appimmersi 
2019-11-05 165303 (U... 2019-11-08 1653:03 (UL, Windows SystemToast LowDisk appidesitop 
63 ham Lists G1) be 
d Last Executed (1) @ 2019-11-05 170211 o MicrosaftXboxApp_Bwelyo3dBbbwelMicrasott XooxApp appimmersiv 
A MUI Cache (248) @ 2091-0517021 (U. Microsoft XboxApp_@wekyb3dBbbwe!Microsott XboxApp apprimmersi 
eet d 
Prefetch (24 = e 
ra Recent. EN 3) Microsoft MicrosoftOfticeHiub_BWekyBSd@BWEIM icrosoft MicrosoftOtficeHub 
@ ShimCache (533) 
d Superfetch (0) 
d User Assist (167) 
Œ d AmCache (1.134) 


ane 3 


Type Value (Little Endian) 
64 bit signed 7220222901237413688 K 
64 bit unsigned  7220222901237413688 
3 Float 
Single (4 byte)  2774070e+26 
Double (® byte)  4794417e+174 


Microsoft Windows 1 


2 Other 
Base54 CA 


> | [Decimal — [GoTo 
(1 of 38) - /BOOTCAMP, 


Position: DD 9) Selection: OxE (14) Little Endian v 
s/josh/AppData/Local/Micrasofy Windows/Notifications/wendatabase.db 


This is available for these items in Actionable Intel > Insights. 


e Passwords > Apple Keychain 

e Program Execution > Notifications 

e Program Execution > ComDlg32 

e Program Execution > Windows Activity Timeline 
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Search 


In Actionable Intel, Search offers a view of parsed search data from macOS and Windows. 


In macOS, Apple Spotlight Shortcuts are parsed and displayed. When a user on a Mac computer 
presses CMD+SPACEBAR, Spotlight Search appears. 


As you begin typing, Spotlight provides recommendations based on the characters typed. You can 
choose a suggestion before you have finished typing the entire word or string. That information is 
stored in ~/Library/Application Support/com.apple.spotlight/com.apple.spotlight.Shortcuts. Parsed 
data shows this information. 


e the user account the data was parsed from (User) 

e what the user typed [Typed] 

e what Spotlight displayed for the item the user selected (Display Name] 

e the Last Used timestamp 

e the location of the selected item such as the path for apps, path for files, URLs for websites, 
and more (URL 

e the file the data was parsed from (Source) 


To see searched items from a Mac computer, in the toolbar click Actionable Intel, then in the 
menu on the left, click Apple Spotlight Shortcuts under Search. 


Q insights Q Correlation 
63 Open Save Pidl Mu `: Typed ` ` Display Name Last Used URL Source 
Y 63 SRUM (12,922) 
Cette fire Firefox.app 2018-12-14 13:58:44 (UTC) _/Applications/Firefox.app JUsers/iosh/Li 
graham graham-shop.jpg 2017-08-04 13:37:47 (UTC) /Users/josh/Dropbox/graham-shop.jpg JUsers/oshiti 
3 App Timeline Provider ( 
A Energy Estimation Prov kee Keychain Access 2016-03-30 13:46:15 (UTC) _/System/Applications/Utilities/Keychain Access.app [Users/josh/Li 
63 Energy Usage Provider m4 mAjpg 2017-08-04 13:36:49 (UTC) /Usersy/josh/WebStuttim4.ipg JUsers/iosh/Li 
a pst ene prow text edit TextEdit.app 2019-07-03 15:50:15 (UTC) _/System/Applications/TextEdit.app JUsersijosh/ti 
63 Network Connectivity L 
i balsai Balsalm.png 2018-06-21 16:40:44 (UTC) _file:///Users/josh/Desktop/Balsalm.png JUsersjosh/Li 
68 Network Data Usage M 
43 Tagged Enaray Provide} key Keychain Access 2017-11-14 14:58:39 (UTC) _/System/Applications/Utiities/Keychain Access.app lUsersjiosh/Li 
£3 VFU Provider (139) gopa  goplacetogo.png 2019-09-23 20:52:29 (UTC) /Users/josh/Desktop/goplacetogo:png JUsersjiosh/Li 
68 WPN SRUM Provider (4 € ste 2017-11-30 13:12:04 (UTC) /Usersyjosh/Library/Mobile Documents/com=apple~CloudDocs... /Users/joshjLi 
vs Seen Asiteny tated term Terminal.app 2020-06-19 20:24:26 (UTC) _/System/Applications/Utlities/Terminal.app JUsers/iosh/ti 
63 Activity (333) 
airp AirPort Utility.app 2017-12-20 14:36:37 (UTC) _ /Systom/Applications/Utities/AirPort Utility.app JUsersijosh/ti 
63 Activity Operation (0) 
A Activity Package ID (89 fib LibreOffice.app 2020-05-19 21:06:10 (UTC) /Applications/LibreOttice.app JUsers/iosh/ti 
¥ Q Search (36) pages  Pages.app -05-19 21 u plications/Pages. app Users /iosh/L 
D 2020-06-19 21:24:08 (UTC) /Applications/P; JUsersijosh/ti 
Q Apple Spotlight Shortcuts racor Racorparts-2.png 2017-08-13 17:35:47 (UTC) _/Usorsyjosh/Library/Containers/com.apple.mail/Oata/Library/M.... (Users/joshjLi 
Q, Windows Explorer (1) 
Bue S strings Proview ` $ Metadata Ọ Location d Record © Data Fork 
key Type Value Type Value (Little Endian) 
> chrome Dictionary Y string 
UTF-8 gopla 
uTF-16 


Y Date/Time 
_Dietionary ah Chrome 
Cocoa/Webkit 
Cocoa Nanoseconds 
Dos na (222) 
FILETIME 
Firefox 
Little Endian E 


jn Support/com.apple.spotlight/com.apple.spotlight.Shortcuts 


To see searched items from a Windows computer, in the toolbar click Actionable Intel, then in the 
menu on the left, click Windows Explorer under Search. 
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For Windows, Windows Explorer search artifacts are parsed and displayed. In Windows 7 and 
Windows 10, this data is stored in NTUSER. dat in the WordWheelQuery key. 


© 


Actionable Intel C 


Q, Insights Q, Correlation Æ 


63 Open Save Pidi MRU (2 Last Write Value ^ UserName Key Path 
Y d SRUM (12,922) 

4&2 App Resource Usage Pi 

df App Timeline Provider ( 

6 Energy Estimation Prov 


2019-01-09 21:25:07 (UTC) | maps USSF-JKreese ` /Software/Microsoft/Windows/CurrentVersion/Explorer/WordWheelQuery/ 


63 Energy Usage Provider 
A8 Energy Usage Provider 
68 Network Connectivity L 
63 Network Data Usage M 
63 Tagged Energy Provide 
63 VFU Provider (139) 
63 WPN SRUM Provider (4 
Y 63 Windows Activity Timelin« 
G3 Activity (333) 
H Activity Operation (0) 
A7 Activity Package ID (89 
Y Q, Search (35) 
Q, Apple Spotlight Shortcuts 
Q, Windows Explorer (1) 


Device Backups 


In Actionable Intel, Device Backups offers a view of iOS backup folders contained on the selected 
partition, along with the model, phone number, last backup date, OS version, serial number, 
UDID and IMEI. 


Inspector can directly ingest device backups from within images. It is not necessary to export 
and ingest them separately. This improves efficiency and results in smaller case file sizes. These 
file types may be imported. 


e EU) 

e iPhone backups 

e plain files and directories 
e raw disk images 

e some specific .dmg types 
e zip 

e tar 


If .zip or .tar files are imported and Process Archives is selected, they appear as an evidence 
source with all the contents of the archive in the file browser for that evidence source. 


To see device backups, click Actionable Intel > Insights > Device Backups. 


Q Insights Correlation = 
Insig Q Cor E 
D Device Backups (2) |> @ Nme Model Phone Number Last Backup Date OS Version SerialNumber ` UD 
fad cian Josh Bennett's iPad... iPad 2 2015-02-08 23:01:03 (UTC) 8.1.3 DLXFKECYDFHW 25ccc0bd)| 
a @ Account Usage (74) ed aoa Reset See eg 
a A Downloads (257) Thess iPhone 8 (Model A1863, A1905, A1906, A1907) +1 (240) 494-6399 2020-01-10 20:41:29 (UTC) 133 CEKVKLUXICEN ` 72bb6cB4fl 
& E File Knowledge (559) 
DT 
ON? 
DM D 
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Device Connections 


In Actionable Intel, Device Connections offers a view of all devices previously connected to the 
source computer. Among other things, you can see the connected device type, serial number, 
last connected timestamp, and the number of times the device was connected [for iOS devices). 


To see previously connected devices, on the toolbar click Actionable Intel, then in the menu on 
the left, click Device Connections. 


Q, Insights Q, Correlation KS 
D Device Backups (2) % © ProductName = Serial Number Last Connected Date User Name Use Count d 
# Device Connections (39) = 
SÉ Account Usage (74) o 08606E6D40B6B06118181BA4 2020-05-01 19:08:19 (UTC) Unknown 1 
A Downloads (257) | @ 001CCOC6117CBCB1B3190248 2020-04-29 17:37:58 (UTC) Unknown 1 
Œ & File Knowledge (559) Ei 001CCOC6117CBCB1B3190248 2020-04-29 17:49:06 (UTC) Unknown 1 
E # Passwords (284) o 08606E6D4086B06118181BA4 2020-05-19 21:29:22 (UTC) Unknown 1 
Œ OC Program Execution (0) e 08090952ac225a 2020-05-19 21:37:27 (UTC) Unknown 1 
Œ Q Search (33) 
@ CBM2080/ CBM2090 Flash drive c.. 08152300405A7C00 2020-04-30 20:25:07 (UTC) Unknown 1 
@ Internal Memory Card Reader 000000000310 2020-04-27 21:37:39 (UTC) Unknown 1 
@ Internal Memory Card Reader 000000000310 2020-05-08 20:44:11 (UTC) Unknown 1 
@ Internal Memory Card Reader 000000000310 2020-05-20 22:28:02 (UTC) Unknown 1 
@ Internal Memory Card Reader 000000000310 2020-05-01 19:22:27 (UTC) Unknown 1 
@ internal Memory Card Reader 000000000310 2020-04-29 17:35:06 (UTC) Unknown 1 
l @ internal Memory Card Reader 000000000310 2020-05-10 04:43:52 (UTC) Unknown 1 
@ iPad DLXFK6CYDFHW 2015-04-14 14:13:46 (UTC) josh 7 
@ iPhone DNPJHMKUDTTQ 2016-07-14 16:14:07 (UTC) Unknown 2 
@ iPhone FIFNDWU2GSMG 2018-08-20 14:55:06 (UTC) Unknown 20 
@ Phone FD2VC3L9ICM2 2020-05-20 22:45:12 (UTC) Unknown 3 
@ iPhone 26935LQ53NP 2011-07-05 16:54:13 (UTC) Unknown 7 
@ iPhone C6KVKLUXICEN 2020-01-10 20:40:01 (UTC) Unknown 9 
@ Phone 5K92045KY7K 2011-05-20 21:55:50 (UTC) Unknown 2 
@ iPhone DNPJHPHJDTTQ 2016-10-26 13:43:54 (UTC) Unknown 2 
@ iPhone FDMQ61LTGSMG 2019-02-25 14:45:09 (UTC) Unknown 2 
@ Phone DNVNGTLOGSMC 2019-02-26 14:09:39 (UTC) Unknown 6 
@ Phone DNVNGTLOGSMC 2019-02-26 14:09:39 (UTC) josh 6 
@ Phone 8811659CDZZ 2012-10-21 14:41:19 (UTC) josh n 
MONDATOT ar annarr r EI 


Account Usage 


In Actionable Intel, Account Usage offers views of cellular usage, top contacts, and user 
accounts. 


Cellular Usage 
This applies to both iPhone and Android devices; Android depends on device and version. 


You can see the parsed contents of this database showing the Subscriber ID, phone number and 
last update time. 


Users of iOS devices can switch SIM cards. Additionally, newer iOS devices are equipped with 
eSIM capability making it possible for users to store multiple eSIM accounts on a single device. 
This data is stored in /Library/Databases/CellularUsage.db. 


On the toolbar click Actionable Intel, then in the menu on the left, click Cellular Usage under 
Account Usage 


Q insights Q, Correlation 
D Device Backups (2) "` "7 Subscriber td Subscriber Mdn ^ Last Update Time Slot Id 
# Device Connections (47) 
@ 89014104277318811704 2404946399 2020-01-10 19:04:24 (UTC) 1 
¥ ® Account Usage (198) 
Q Cellular Usage (3) 7 99014103255418433851 4083340589 2018-12-12 16:08:29 (UTC) 1 
@ Top Contacts (135) CH 8914900010053792101 6475639559 2018-12-12 18:36:26 (UTC) 1 


@ User Accounts (60) 
Y A Downloads (658) 
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Top Contacts 


You can see a list of the device's most frequent contacts along with the message and call counts 
for each. 


On the toolbar click Actionable Intel, then in the menu on the left, click Top Contacts under 
Account Usage. 


User Accounts 
You can see user account information for both current and deleted user accounts. 


This includes the current user accounts’ UID, User Name, Full Name, home folder path, and 
password hints, along with deleted user accounts’ UID, User Name, Full Name, and date deleted 
information. Timestamps for created, last logon, last password change, last failed logon, and 
logon count may also show in this view. 


On the toolbar click Actionable Intel, then in the menu on the left, click User Accounts under 
Account Usage. 


Insights Q Correlation = 


D Device Backups (2) ^$ @ Account Type Account Property User Name Full Name UserID PWHint Password Crea ^ 
E Device Connections (39) > 

5 @ Account Usage (179) 
@ Cellular Usage (0) e 2 

® Top Contacts (153) @ MacUser root ‘System Administrator 0 * 2018 


D Mac Last User josh 


@ User Accounts (26) @ Moc User simon Simon 503 
El owsa eon @ MacUser phitcook Phil Cook 502 
® Air Drop (0) 


& Files (257) 
© f File Knowledge (559) | @ Messages self-handle jbennett_mac@®me.com 


D Messages account-info jbennett_mac@me.com 


B Lak Files (0) @ Messages account-info jbennett_mac@me.com 
D Recent Items (558) @ Messages self-handle jbennett_mac@me.com 
a ea orn @ sype jbennett_mac@me.com Josh Bennett 

5 # Passwords 

# Apple Keychain (284) S = > 
E 6% Program Execution (0) |Josh Bennett 

4&3 BAM DAM (0) 

d Jump Lists (0) 

G3 Last Executed (0) 


Si Hen Strings [Preview Metadata @ Location ` A Record Data Fork 

Key Type Value 

name Array 

Item 0 String josh 

Item 1 String BOCEAC5BFB3B88062E3E6B6B239839520FEB45E7 

Item 2 String jbennett_mac@me.com 

pen? String com.apple.idms.appleid.prd.001935-10-32d40149-388f-4804-b087-70a3f4d2818d 
passwd Array 1 ites 
picture Array 
S realname Array 
=Œ ` record_daemon_version Array 


o shell _ Array v 


For User Account entries stored in binary plists, you can select an entry in one column 
(highlighted green). Only data in the highlighted data appears in the lower portion of the Content 
pane. 


In macOS, account information is also parsed from databases stored in ~/Library/Accounts, 
providing information about the user name and account type. Databases in ~/Library/Accounts 
store information about the user's other accounts including iCloud, social media, email, and 
calendars. This data is parsed and displayed with operating system user accounts. Entries 
stored in the Account databases often contain a binary property list in the database entry. 
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To see the data stored In the binary plist, select an entry in the Property Value column. The data 
is highlighted in green. The Preview tab in the File Content view shows the parsed property list. 


Insights Q Correlation + 


| a 
D Device Backups (2) R Full Name UserID PWHint Password Created Date Property Value 
4 Device Connections (39) 
= Q Account Usage (179) 
@ Cellular Usage (0) Josh Bennett wi Cp = mme 2016-10-26 14:11:08 (UTC) 
@ Top Contacts (153) System Administrator H d 2018-10-03 18:35:46 (UTC) 
@ User Accounts (26) | ana 503 
© A Downloads (257) mick rs 
® Air Drop (0) 
Files 257) m = 
£ & File Knowledge (559) fl Bme com bplistO0OXSversionXSobjectsYSarchiverTStopt ¥USnullO- 
Link Files (0) Some com bplist00O01XSversionXSobjectsYSarchiverTStop+ ©#$%,USnullO 
D Recent Items (558) Bme.com bplist00ÖXSversionXSobjectsVSarchiverTStop+ ¥USnullO 
(R Trash Items (1) 
© # Passwords (284) € 
# Apple Keychain (284) SSC SS 
© d Program Execution (0) Refer to the Preview tab of the File Content Viewer for the parsed Property List. 
OG BAM DAM (0) 
d Jump Lists (0) 
43 Last Executed (0) 


Bme.com 


Bmecom Josh Bennett 


Si Hen Strings [Preview $ Metadata @ Location J Record 


Key Type Value 
= Beet Dictionary al 
E Sarchiver NSMutableDicti.. 
ApplelD String jbennett_mac@me.com 
| 
SelfHandle String urn:ds:1314073491 | ' 
©  VettedAliases NSArray 
 Sobjects Oe rear 15 
pen? String ER 
a Wen? Dictionary 3 items) 
Item 2 String Selftlandle x| 


Downloads 
In Actionable Intel, Downloads offers views of AirDrop and Files. 


AirDrop 


AirDrop is a macOS and iOS feature to transfer files to other nearby Apple devices. Artifacts from 
AirDrop on macOS are stored in multiple locations including Unified Logs and Spotlight. 
Inspector parses AirDrop artifacts from Spotlight, which contains more complete information. 


To see AirDrop artifacts, on the toolbar click Actionable Intel, then in the menu on the left, click 
Air Drop under Downloads. 


Dn, ©, coralaton E 


Sonder Name D 


ve Eupen 
2020. ITC) 1M0.0147PNG 
@ 2020-03-05 18:00:03 (UTC) IMG.O147PNG 


For more information, see these topics provided by Apple. 


e https://support.apple.com/en-us/HT204144 
e https://support.apple.com/en-us/HT203106 
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Files 


Files shows information about recent file downloads. Some or all of this information may be 
shown. 


e source [such as Internet Explorer, Chrome, Safari, or Firefox) 
e file name 

e file path 

e timestamp 

e sender name 

e sender address 

e title 


Web browsers have built-in download managers that keep a history of every file downloaded by a 
user. These browser artifacts can provide excellent information about what sites a user has been 
visiting and what files were downloaded. In addition to browser downloads, Files also includes 
artifacts from Zone./dentifier files in Windows and quarantine files in macOS. 


To see information about recent file downloads, on the toolbar click Actionable Intel, then in the 
menu on the left, click Files under Downloads. 


Q Insights Q, Correlation = 
H Device Backups (2) ~ 7 Source ~ File Name File Path bk 
eler @ AdSZoneldentifier images (1 /Users/josh/Documents/Fil 
5 @ Account Usage (191) EES ee 
@ Cellular Usage (0) @ AdSZoneldentifier images (2)jpg /Users/josh/Documents/Fil 
@ Top Contacts (153) 
Q User Accounts (38) | © ADS.Zoneldentifier  mmgRbzOnRpAPkGFM48CwCw.jpg (/Users/josh/Documents/Fil 
RI Geess ES | @ ADSZoneldentifier  mVNWOyyb1ddEjZadNydcyvQjpg /Users/josh/Documents/Fil 
A ZS ER @ AdSZoneldentifier M _Badge JPG /Nsersosh/Documents/Fi 
© (R File Knowledge (1.859) M @ ADSZoneldentifier  1ogo3.png /Users/josh/Documents/lo, 
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? Ges Se an @ ADSZoneldentifier  edb00003.l0g /Users/josh/MicrosoftEdge 
E dÊ Program Execution (22,075, @ AdSZoneldentifier  schema:bt /Users/josh/MicrosoftEdge 
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63 Jump Lists (62) @ AdSZoneldentifier  spartan.pat /Users/josh/MicrosoftEdge 
d Last Executed (0) = 
AN n vile av 
HiHex Strings [Preview ` $ Metadata @ Location, Record [Data Fo — 


File Knowledge 


In Actionable Intel, File Knowledge offers views of Link Files, Recent Items, and Trash Items. 
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Link Files 


On Windows systems, link [.lnk] files may be created by the operating system during routine 
operation or be deliberately created by a user. To see Windows Link files, on the toolbar click 
Actionable Intel. In the menu on the left, click Link Files under File Knowledge. Metadata for 
selected link files includes link attribute, link target information, and target system information. 
To see this metadata in the File Content view, click Preview. In this view, you can tag individual 
rows for reporting purposes. 


& Top Contacts (239) 
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ees @ 2016 ome m2-04-1Ink EEN 
© A Passwords (1,420) N @ Bebe mz-01-1Ink 2016-bmw-m2-01-1,jpg 
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E d Program Execution (7,022) @ Filebistoryink File History 
Gs Gs de @ Enk Di 
lump Lis 
a een Stee Se 
63 MUI Cache (248) @ _BMW-M2-STRIPES.Ink BMW-M2-STRIPESpg 
68 Notifications (38) @ _Bennett-Mem.dmp ink Bennett-Mem.dmp 
63 Prefetch (247) @ A keint Control Panel (All Tasks) 
Soen ll A 
Ši Hex SS Strings D Preview $ Metadata @ Location ` A. Record Data Fork Gei 
Property Value Type Value (Little Endian) 
Link Target Information A| [E String a 
Link Target 2017-porsche-boxster-facelift-revealed-in-latest-spyshots-has-caye UTF-8 
Type Archive UTF-16 
Link Flags | HasLinkTargetiDList, HasLinkinfo, HasWorkingDir, IsUnicode, Disab E Date/Time 
Target File Size H Chrome 
Target Path A2017-porsche-boxster-facelft-revealed- in-latest-spyshots-has-c Cocoa/Webkit 
© Link Attributes | Cocoa Nanoseconds 
Source File Name | 2017-porsche-bexster-facelift-revealed-in-Iatest-spyshots-has-cayel i Dos 
LINK Data Size | 695 FILETIME 
Icon Index H Firefox 
Show Command | SW_SHOWNORMAL Java 
— Target System Information OLE 
Drive Type DRIVE_REMOVABLE osx 
Drive Serial C1A1-10FE Unix 
Volume Label | ‘SECRET E Integer 
Local Base Path i D:\2017-porsche-boxster-facelift-revealed-in-latest-spyshots-has-c Y KR 
> Little Endian v 


< 
(1 of 476) - /BOOTCAMP/Users/josh/AppData/Roaming/Microsoft/Windows/Recent/2017-porsche-boxster-facelift-revealed-in-latest-spyshots-has-cayenne-like-taillight-graphics_26.Ink 


Recent Items 


To see recent items, on the toolbar click Actionable Intel. In the menu on the left, click Recent 
Items under File Knowledge. The Recent Items view shows information from both macOS and 


Windows systems. 


S D File Knowledge (3,932) 
@ Ink Files (476) 
@ Recent items (3,444) 


Folder 
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E Tash tems (12) josh Documents 
E A Passwords (1,420) P josh Documents Pict. PNG 

# Apple Keychain (1,420) Documents FatManOnCamel.máv 
E d Program Execution (7,022) josh Folder Geer 

g meer josh Folder Special 

Jump Lists (31 

a eases d LC Documents auction.csv 

63 MUI Cache (248) josh Folder DA 

6 Notifications (38) josh Documents C-Headlightjpg 

63 Prefetch (247) josh Documents sport PNG 

63 Recent Apps (13) aliz i 


For Windows systems, Recent Items are parsed from information stored in the NTUSER.DAT 
registry files, for example, \Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\. 


250 


March 2022 


Cellebrite Inspector User Guide 


For macOS systems, data is parsed from many locations. 


Description | Locations 


Folders 


~/Library/Preferences/com.apple.finder. plist 
/Library/Preferences/ GlobalPreferences. plist 


Shared File Lists 
(Documents, Files, 
Applications, 
Hosts/Servers, 
Volumes, etc.] 


Microsoft Office 


~/Library/Applications 
Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.<MRU 
Type>.sfl 

~/Library/Applications 
Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.<MRU 
Type>.slf2 


~/Library/Preferences/com.microsoft.plist 


~/Library/Containers/com.microsoft.<Office App 
Name>/Data/Library/Preferences/com.microsoft. <Office App 
Name>.securebookmarks.plist 


Volumes 


Files 


~/Library/Preferences/com.apple.finder. plist 
~/Library/Preferences/com.apple.sidebars. plist 


/private/var/root/Library/Preferences/com.apple.sidebars. plist 


/ Spotlight-V100/Store-V2/< UUID>/store.db 
/private/var/db/Spotlight-V100/BootVolume/Store-V2/< UUID>/.store.db 


The Type column and the Status Bar both show where the information is parsed from. 


D Device Backups (11) alle le 
44 Device Connections (177) 
5 @ Account Usage (373) 


Q Cellular Usage (0) Shared File List 2 Recent Servers LockZone 
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© & Downloads (1,515) 


Q, Insights Q Correlation = 


Label Item Name 


ftpi//ftp.dell.com 


Type 


Shared File List 2 Favorite Servers 


Shared File List 2 


Recent Documents  goodintel.png 


Loose: 


Air Drop (104) 
AREA Shared File List 2 Recent Documents  goplacetogo.png 
= Gif File Knowledge (5,522) Shared File List 2 Recent Documents Area27.txt 
D Lok Files (1,525) Recent Documents _Porsche-Parts.pages 
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e Kier ge Shared File List 2 Recent Documents  AlliedParts.rtf 
6 Program Execution (7,084) Shared File List 2 Recent Documents gone jpeg 
63 BAM DAM (22) Shared File List 2 script Porsche-Parts.doc 
63 Jump Lists (93) Shared File List 2 script BMW_InfoJPG 


63 Last Executed (1) 
4&3 MUI Cache (248) 
d Notifications (38) 


A scriot auction.csy 
A Prefetch (247) o sl 
EE Anne £12) = 

ien Strings [Preview $ Metadata ` $ Location Data interpreter ©] [Data Fork < 
2 70 6C 69/73 74 30 30|D4 01 02 03/04 05 06 07 = = 
6 E String Š 
I ms 
00080: | EN 
E1;ABCOPQ]” kimy |Y DS D 
Sector Offset: Ox0 (0) Position: Ox0 (0) Little Endian v 


Shared File List 2 


data_export_2019-10-09.csv 


script recordxls 


The Recent Items view shows these columns in addition to the default Tagged State and 


Evidence ID. 
e User 
e Type 
e Label 


e em Name 


2 Cellebrite 


e Path 
e Mount Path 
e Date 


e Index Value 
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The User column is based on the path the data Is parsed from. Recent Items parsed from a 
directory in /Users/<user name> show <user name> in the User column. Recent Items parsed 
from files in /private/var/root show root in the User column. The User column is blank for data 
parsed from the Spotlight index. The file path is used to populate the User column. 


Some columns are not used for all Recent Items parsed. For example, data parsed from shared 
file lists use the Label and Index Value columns to provide information about: 


e Which LSSharedFileList the data was parsed from (Label is a portion of the file name of the 
.slf or .slf2 file) 

e Which item number under $archiver the entry was parsed from (Index Value is the Item 
number for the entry under Root/$archiver/items/. 
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The same principle is used for other data parsed from plist files, but instead of the Label 
column, the Type column is used. The Type column, generated by Inspector, can be a 
combination of the plist filename and plist entry. For example, data is parsed from both 
/Root/favorites and /Root/systemitems in com.apple.sidebarlists. plist. Entries parsed will be labeled 
as Sidebar Favorites or Sidebar System Items, depending on the plist entry it is parsed from. 


& Cellular Usage (0) H ‘Mount Path $ 
@ Top Contacts (48) 
@ User Accounts (26) 

S & Downloads (257) 9 Network 7 
@ Air Drop (0) @ root Sidebar System items Tech Crimes Tech Crimes/ 2011-06-08 17:5625 (UTC) R 
À Files (257) @ root Sidebar System Items Mac OSX Install ESD Mac OS X Install ESD/ 2012-02-11 04:06:52 (UTC) " 

E OB File Knowledge (559) D root Sidebar System Items Lion Lions 2011-08-07 19:35:35 (UTC) 10 
a Se Sen See TT 
{B Trash tems (1) || @ root Sidebar System tems untitles untitles/ 2012-01-29 15:04:58 (UTC) 8 
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a pe = Sidebar System Items MacQuisition (10.58) MacQuistion (10.5.8)/ 2009-09-09 20:37:04 (UTC) 4 
Glas Executed (0) Sidebar System Items MaDate Meed 2012-01-20 17:18:37 (UTC) 3 
£3 MUI Cache (0) Sidebar System Items Application Application/ 2012-01-18 05:41:50 (UTC) 2 
A Notifications (0) Sidebar System Items racer racer/ 2009-09-14 22:45:24 (UTC) 1 
E Prefetch (0) S Sidebar Favorites Applications racer/Applications 2011-05-24 17:48:14 (UTC) vie 
Sne Strings “Preview $ Metadata @ Location Record Data Fork ` — 
| Key Type Value (Lit 
Root A| [E string ^ 
ma sep 
Controller ue azs 
m CustomlistProperties Date/Time 
ShowEjectables Chrome 
Se ShowHardDisks Sec I| Cocoa/Webkit 
ShowRemovable Cocoa Nanosecon: ds 
ShowServers Boolean Dos we 
— Volumestist Array FILETIME 
Dictionary Firefox 
Alias Data Java H 
< Little Endian v 
(lof 110) - Filtered - /Racer - Data/Users/josh/Library/Preferences|comapplessidebarlsts pist | 


The Type for data parsed from Microsoft securebookmarks plists is based on the name of the 
plist. 


Trash Items 


Choosing Trash Items in the File Knowledge sub-view menu reveals items in stored in the .Trash 
folders for macOS and Recycle Bin folders for Windows. Since the Windows Recycle Bin 
maintains more information about files, some columns Listed in this view pertain to Windows 
Recycle Bin records only [Trash Name and Deleted Date). 


@ Cellular Usage (0) “lle @ User FileName TrashName Original Path Deleted Date Size 
@ Top Contacts (48) Fs e = = 
@ User Accounts (26) LA 
© dy Downloads (257) 
@ Air Drop (0) 
& Files (257) 
5 D File Knowledge (559) 
Bebe () 
E Recent Items (558) 


Trashes/50} 


E Trash Items (1) i 
IER Passwords (284) 

# Apple Keychain (284) 
5 68 Program Execution (0) 

‘62 BAMDAM (0) 

68 Jump Lists (0) 

68 Last Executed (0) 

68 MUI Cache (0) 

d Notifications (0) 

68 Prefetch (0) 


Passwords 


In Actionable Intel, Passwords offers a view of parsed Apple Keychain data from macOS and iOS. 
Keychains are processed during initial evidence ingestion. Inspector identifies these by file 
extension [.keychain or .keychain-db]. In macOS, there is a system keychain as well as user 
keychains. The system keychains typically store Wi-Fi passwords and Time Machine passwords. 
Users’ login keychains can contain a variety of data and are typically unlocked with the user's 
login passwords. 
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While passwords are needed to unlock some keychain data, without any passwords Inspector 
parses all of the information stored in the System keychain and all data except the Value stored 
in locked user login keychains. 


This image shows system keychain data with no password. 


Insights + 
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Y sting 
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(10f 284) - /Racer - Date/Library/Keychains/System keychain 


This image shows user login keychain data with no password. 
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If no passwords are entered at initial evidence ingestion, Inspector will process and display only 
the data accessible without a password. If passwords are discovered later, you can either 
reprocess the entire case or export the keychain files from the case and reprocess only the 


keychain files. 
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Some rules to know before adding passwords: 


Passwords are tried in the order they are entered. In the Passwords window, they are shown 

in alphabetical order. 

e Passwords must be UTF-8 encoded. An error message will be displayed for non-UTF-8 
encoded passwords. 

e A password list can be imported. The list must be UTF-8 encoded with one password per 
line. 

e Long password lists can take significant time to run. For example, 14 million passwords take 
roughly 4 hours per keychain file. 

e When manually entering passwords, leading and trailing spaces will be truncated. 


As Inspector processes keychain files, once a password successfully unlocks the data, no further 
passwords are attempted for that keychain. 


Viewing Keychain Data 


With a Keychain entry selected in the Content pane, click Preview in the File Content view. The 
contents of the Value column are displayed. For keychains storing property list data in the Value 
field, when the Value field is highlighted in the Content pane and the Preview tab, the property 
list is parsed in the Preview tab. 
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Refer to the Preview tab of the File Content Viewer for the parsed Property List, 
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Tagging and Reporting Keychain Data 


Data from Apple Keychains can be tagged for inclusion in the examination report. In the report, 
only columns containing data will be shown, so if a Keychain is locked and the Value cannot be 
parsed for the entry, it will not be shown in the report. Similarly, if there is no data in the 
Description column it will not be shown in the report. 


Digital Forensics Resort 


Source Device | Bennett-Computer-200520,E01/Racer - Data 
Path | /Users/josh/Libraryikeychains/login.keychain-db 
Name | Josh's AirPort Time Capsule 
Value | booty61*Siva 
Description AirPort Disk password 
Creation Date | 2017-11-14 14:23:38 (UTC) 
Modification Date | 2017-11-14 14:33:29 (UTC) 
Account | Josh Bennett 
File Name ` login.keychain-db 


Source File | /Users/josh/Library/Keychains/iogin.keychain-db 


Source Device | Bennett-Computer-200520.E01/Racer - Data 


Path | /Users/josh/Library/Keychains/login.keychain-db 


Program Execution 


In Actionable Intel, Program Execution offers a view of evidence of applications that have been 
launched by a user. This sub-view is specific to Windows. The artifacts in this table are parsed in 
the Program Execution sub-view menu. 


Artifact Description 


Background Activity Information stored in the Windows registry (Windows 10) that tracks 
Moderator (BAM] and | executables run by each user on the system. BAM controls activity of 
Desktop Activity background applications. DAM was created to ensure consistent 
Moderator (DAM] long battery life. DAM information is stored only on tablets and 


mobile devices. Each BAM/DAM entry provides insights into the 
applications run by the user identified in the SID column entry. 


Jump Lists Jumplists are created by the operating system (Windows 7 and 
above] based on user actions. They give the user quick access to 
recently accessed application files and actions. 


Last Executed This shows the specific executable used by an application to open 
the files documented in the OpenSaveMRU key. In addition, each 
value also tracks the directory location for the last file that was 
accessed by that application. 


Multilingual User Each time a new application is started on Windows system, the 
Interface (MUI) Cache | application name and a description are stored in a registry key. 
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Artifact Description 


Notifications A history of notifications sent to users. 

When you select part of a file's content in the lower portion of the 
Content pane, the corresponding content is also highlighted in Hex 
view. It also appears in the related Data Interpreter view as a String. 


Prefetch Prefetching was Introduced with Windows XP to minimize seek times 
on hard disks by loading into memory certain data that is needed for 
booting and launching applications. In this sub-view, Inspector lists 
the application filenames in the top of the Content pane (along with 
run counts and times) and associated DLL (Dynamic Link Library] 
files in the bottom of the Content pane. Filters can be applied to the 
data contained in the top of the Content pane by selecting the Show 
Filter button and applying the desired filter parameters. 


Recent Apps Data stored in NTUSER.dat, recording information about 
applications recently used and the files accessed by the apps. 


ShimCache A mechanism in Windows to support older apps on new version of 
Windows. Provides information about executables. 


Superfetch Introduced with Windows Vista, stores launch times and preloads 
applications into memory based on a given user's previous usage 
patterns. Inspector displays the volume name, entry name, and run 
time for each item. 


User Assist This shows applications the user has launched, and the data is 
parsed from NTUSER.DAT. Information can be used to determine 
this information: 


e the frequency of program execution for each user account 

e the last time a program was launched 

e where the program was launched from 

e information about programs that have been deleted or 
uninstalled from the system 

e proof of the existence of data in a location that is no longer 


available 
Windows Activity Tracks user Activities such as website accesses, program 
Timeline executions, files accessed by programs, and when particular apps 


were in focus. 

When you select part of a file's content in the lower portion of the 
Content pane, the corresponding content is also highlighted in Hex 
view. It also appears in the related Data Interpreter view as a String. 


AmCache Stores metadata about ShimCache executables that have been run, 
programs installed, and devices connected. 
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Artifact Description 


ComDlg32 Tracks when the user used the Open/Save dialog box to open or save 
a file. 


When you select part of a file's content in the lower portion of the 
Content pane, the corresponding content is also highlighted in Hex 
view. It also appears in the related Data Interpreter view as a String. 


System Resource Monitors desktop applications, services, windows apps, and network 
Usage Monitor (SRUM) | connections. SRUM data is stored in the Windows registry, with 
historic information contained in a database. Tracked information 
includes: 


e network connectivity 

e network data usage 

e application resource usage 
e Windows push notification 
e energy use 


To see any of these artifacts, on the toolbar click Actionable Intel. In the menu on the left, click 
the appropriate artifact category under Program Execution. For some artifacts, additional 
information is parsed by Inspector; the Content pane splits to show additional data. The most 
complex is Jump Lists. 
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@ Capture.PNG Archive ORIVE FIXED Ce 


Sue Sang ` rouen Metadata ` $ Location d Record © dataFork RB 
Property Value Value (Little Endian) 
¥ Link Target information 


Link Target 


| 2015-06-12 12:22:40 (UTC) 
| 2018-06-21 18:02:17 (Ure) 


Dos 


Em 
7 i Firefox 

| a52b0784bd667468.automaticDesti eme Java 

|anchive oe 

Jee osx 

fo unix 

Show Command | sw_sHOWNORMAL 
Lite Erdian” 

Dot 24) - /BOOTCAMP/Users/josh/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/a52b0784bd667468.automaticDestinations-ms 


Select the jump list that was created for a particular application. For that jump list, the bottom 
portion of the Content pane shows Link Targets, Type, Drive Type, Target Path, Target Date 
Accessed, Target Date Created, and Target Date Written. 


Select an item in the bottom portion of the Content pane. In the File Content view, click Preview 
to see information relating to the item. Information can be tagged for reporting purposes from 
individual rows shown in the File Content view. Additionally, you can use Find in the Content 
pane. 
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Activity Correlation 


The Correlation view in Actionable Intel makes it easy to 
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see the story of an entity's activity. 


You can easily see, filter, and pivot on all correlated events, whether they were done by a user or 
by the system. There are three types of entities: Systems, Users, and Devices. These entities are 
listed in the left column of the Correlation view and can be enabled or disabled as necessary. 
The number of correlated events are shown in parenthesis after each entity's name. 


You can run the Correlation engine during initial ingestion or afterward by selecting Correlation 


from the Evidence Status view. 


SE = 
a 2921 Events Event Atuibutes: 
= H © systems 4) <= @ me ` Owner Event Type Description Type Name Value 
B @ macos @ 2020-05-20224405 UID josh FileAccessed _/Decumentfevsions-V100/PerUID/) | SerialNumber SerialNumber FD2VCSLSICM2 
MacOS (0) @ 2020-05-20224406 UTD Aen FileAccessed ` /DecumentRevisions-V100/PerUID/ 
Nesey: 2020-05-20 22:45:12 (UTO) josh, iPhone: FD... Devicelnserted  FD2VC3L9JCM2 | 
En @ 2020-05-20 224747 UTO josh FolderAccessed ` /Users/jost/Desktop | 
"H @ wesen @ 2020-05-20224748 UIQ josh FolderAccessed —/Uses/josn/Documents = 
"E 62 Devices 63) @ 20200520224807 UTO josh FileAccessed _/UsersjoshyDocuments/aoplacetog | Event Artifacts: 
AAE Dë oenm l e 200052022480 (UTC) josh FileAccessed opet] |$ @ Time Source | 
1 imaning Status Eeoa LR Lisi fyprsiooms7! E ` 5 2020-05-20 2245:12., DeviceConnec ^ | 
7 iPhone: FD2VC3LSICI @ 2020-05-20 224807 (UTE) josh FileAccessed -¥100/Per0 | 
Cal Kee @ 20005202249250 root ‘AppOpened 
en @ 2020-05-20 2249.26 (UTC) josh FileAccessed —_/Users/josh/Library/Mobile Docur 
e O. @ 2020-05-20 224929 UTE) root AppOpened ` rei "| E% E 2020-05-202045:12. Deviceconnec 
e are inh Soldertcreccad ` tech reng Gären = 
Sale > | 
$ Metadata ` $ Location ` A Record Data interpreter ~i 
Type Value (Little Endan) | 
E Date/Time = 
Chrome 
| Cocoa/Webkit 
Cocoa Nanoseconds 
Dos 
ant 


Each entity can have one or many events associated with it. Each entity also has its own 
attributes, which you can see by double-clicking the entity or pressing SPACEBAR. This lets you 
quickly see attributes like when an operating system was Installed, the specific version, the 


registered owner, and more. 


Range 5/ 1/200 1 5/20/202 ~] (S. 


15 Events Event Attributes: 


Sne Strings ` 


© B @ Systems (1) "e Time aT one Event Type Description Type Name 
Rëm f @ Entity Attributes x MessageParticipants participa) 
lest tses 
o® a Name Value 
O @ nobody (0) ProductVersion 10.146 
=| iOSSupportVersion 123.1 
O @ daemon 0 ProductBuildVersion 18610: 
O en Guest 0) eg ie ane Inc, d > 
roductName x 
OaS ProductUserVisibleVersion 10.146 Event Artifacts: 
@ josh (621) RetriesUntilHint 3 i) 
o eem GuestEnabled true A |T 
o OptimizertastRunForSystem 168756224 E aN 
O @ simon (1) autoLoginUser | 
lastUserName josh 
O @ phiicook (1) OptimizerLastRunForBuild 40117216 | 
Accountinfo -map[AllLogins:map(josh:1] MaximumUsers:1 OnConsole:mapljosh:11] 
D @ Graham GIBSON/g- 2 i 
O @ en 70-2780 (3) 
141000002: 
0 @ mooz (1) 2015-11-07 23:24:12 (U. 
Den G02) 524-1522 (1) | 
O en 1410100001 (0) “i 
e OP > 


d Cellebrite 
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The middle pane of the Correlation view shows a list of all the events, and includes the time of 
each event, the owner of each event, the type of event, and a full description. This list can be 
shortened by deselecting any of the entities in the list. It is also possible to filter these events 
based on time and date. This provides a time-based view that shows how an artifact came to be 
and how it is related to other artifacts. For more information, see Individual File Filter Options. 


Am mes 4 
S Events Event Attributes: Na GC A 
Sg CS seen Ce: 
weree ee SS Ee 
Jemp e mere un zm Seiren! ` senfehyDocuretsiChts) "eg Jee E 
egent ER 2010-12-01 18.2438 (UTC) (847) 770-2780 MessageEvent (847) 770-2780 EE boer Zem : 
E E 2010-12-01 18:26:26 (UTC) (B47) 254-6108/.. MessageEvent (847) 254-6108, El 
Dues 67 Re Cea Coan. ner ep sl 
Fe Event tifa 
GE > e Time | 
S 
SC 


philcook (1) 
m 


You can search on keywords, which are then highlighted in the event list. The scrollbar marks 
where the keywords exist in the list so you can quickly scroll to the marks to see each Instance 
of the highlighted keyword. 


\, bobbyR.txt 


2921 Events 
» ©@ Time Owner Event Type Description 
@® 2017-03-02 21:35:49 (UTC) josh FileAccessed C\Users\josh\Desktop\ADSF_fILES\M.rtf 2 
@ 2017-03-02 21:35:49 (UTC) josh FileAccessed CAUsers\josh\Pictures\iCloud Photos\Uploads\IMG_001,jpg 
@® 2017-03-02 21:35:49 (UTC) josh FileAccessed C\Users\josh\Documents\Ads\GolfR.pdf 
@ 2017-03-02 21:35:49 (UTC) josh FileAccessed CAUsers\josh\Documents\Ads\Honda_Con.pdf 
@ 2017-03-02 21:35:49 (UTC) josh FileAccessed D:\FatManOnCamel.m4v 
© ass jon neen SESS an 
@ 2017-03-02 21:35:49 (UTC) josh FileAccessed C\Users\josh\Documents\Records\record.xls 
@ 2017-03-02 21:35:49 (UTC) josh FileAccessed CAUsers\josh\AppData\Roaming\Shareaza\Torrents\Top.Gear.2014 
@® 2017-03-02 21:35:49 (UTC) josh FileAccessed C\Users\josh\Desktop\ADSF_fILES\cover.PNG 
@ 2017-03-02 21:35:49 (UTC) josh FileAccessed C\Users\josh\Desktop\ADSF_fILES\sport.PNG i 
@ 2017-03-02 21:35:49 (UTC) josh FileAccessed DAC-Headlightjpg 
@ 2017-03-02 21:35:49 (UTC) josh FileAccessed D:\omw_58603,jpg 
@® 2017-03-02 21:35:49 (UTC) josh FileAccessed C:\Users\josh\Documents\bobbyR.zip 
Ed 2017-02-07 21:25:49 MIT inch FileArreccad CAL learc\inch\ Nactimante\ Ad rtf 


< Sie 


In the right side of the Correlation view, you can see Event Attributes and Event Artifacts. Event 
Attributes provides information about the selected event such as its type, its name, and its value, 
for example file path, file name, and so forth. Event Artifacts shows all the artifacts that are 
associated with the selected event. For example, if the file bobbyR. txt was accessed by the user 
Gibby, you can see the path for that file, the user who accessed it, the drive it was on, and in this 
case the Windows jumplist entry that was created for it. 


Type ` Name Value 
FilePath TargetPath _C:\Users\josh\Documents\Special\bot 


< > 
Event Artifacts: 8 
|| Source Type Description Value 
JMPList  FileAccessed C\Users\josh\Docut 
FilePath TargetPath ——_C:\Users\josh\Docut 


FileName TargetName  bobbyR.txt 
UserName UserName josh 

FileName NormalizedFil... bobbyR.txt 
FileFolder NormalizedFil... C:\Users\josh\Docur 


< > 


To pivot to the created jumplist so you can view other items, open the context menu on any of the 
items in Event Artifacts and click Reveal > Item in Native View. 
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Plugins View 


The Plugins view provides access to other tools integrated into Cellebrite Inspector. At this time, 
the Plugin Manager provides a way to integrate Apple Pattern of Life Lazy Output’er (APOLLO) 
into Inspector. 


To view plugins installed in Cellebrite Inspector, or to update to a newer version of a plugin, click 
Manage > Plugins. The Manage Plugins window shows all installed plugins and the source and 
version number for each. 


LI Manage Plugins 
Plugin Version Source 
APOLLO-master 01172019 Sarah Edwards | @iamevitwin | mac4n6.com 


Install... 


In the Manage Plugins window, you can install and remove plugins from Inspector. To install a 
newer version of a plugin, you must first select the plugin and click Remove. 


This chapter provides this topic about the Plugins View: 
e APOLLO Plugin 


APOLLO Plugin 


APOLLO, written by Sarah Edwards, is a python script which runs a Series of queries against the 
SQLite databases on iOS devices. APOLLO’s power is in the SQL queries, each query designed to 
look at specific IOS data. The queries are categories by function and stored in text files. APOLLO 
aims to easily correlate multiple databases with hundreds of thousands of records in order to 
determine what has happened on the device. For more information, see the series of blog posts 
by Sarah Edwards at https://www.mac4né.com/blog/. 


APOLLO is included in the Inspector installer and will install into these directories. 


e macOS: /Users/<username>/Library/Application Support/Cellebrite/Inspector/Plugins/APOLL 0- 


master 
e Windows 10: C:\Users\<username>\AppData\Roaming\Cellebrite\Inspector\Plugins\APOLLO- 
master 
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Get a new version of the APOLLO Plugin 


1. Download a zip archive of the APOLLO modules file from 
https://github.com/mac4n6/APOLLO. 


2. Inthe Mange Plugins window, select the APOLLO plugin and click Remove. 
3. Click Install and select the APOLLO zip archive. 


Use the APOLLO Plugin 


1. Import a macOS or iOS device into Inspector. 
2. Select the device in the Component list. 
3. On the toolbar, click Plugins. 


The APOLLO queries run, and results are shown in the Content pane. 


Plugins View 


The queries in APOLLO are categorized based on what data is queried. Inspector separates 
APOLLO data into each category and displays the results of each query. 


> Interaction (154) 

Y Knowledge (1734) 
(24) 
Activity Level (62) 


Activity Level Feedback ( 


App Activity Calendar (0) 
App Activity Mail (6) ) 
App Activity Photos (0) 
App Infocus (312) 


App Install (0) 


Start a 
© 2020-04-27 21:38:25 (UTC) 
© 2020-04-27 21:38:25 (UTC) 
© 2020-04-27 21:38:25 (UTC) 
© 2020-04-27 21:38:25 (UTC) 
© 2020-04-27 21:38:25 (UTC) 
© 2020-04-27 21:38:30 (UTC) 
©@ 2020-04-27 21:39:00 (UTC) 
© 2020-04-27 21:39:10 (UTC) 
2020-04-29 17:54:40 (UTC) 
© 2020-04-29 17:54:55 (UTC) 
© 2020-04-29 17:55:25 (UTC) 
© 2020-04-29 17:55:40 (UTC) 
©@ 2020-04-29 17:55:85 (UTC) 
© 2020-04-29 17:56:35 (UTC) 
© 2020-04-29 17:56:55 (UTC) 
© 2020-04-29 17:57:05 (UTC) 


` 9990-04-20 17:58:00 (ITON 


End Bundle Id 
2020-04-27 21:38:25 (UTC) com.apple.mail 
2020-04-27 21:98:25 (UTC) com.apple.mail 
2020-04-27 21:38:25 (UTC) com.apple.mail 
2020-04-27 21:38:25 (UTC) com.apple.mail 
2020-04-27 21:38:25 (UTC) com.apple.mail 
2020-04-27 21:38:30 (UTC) com.apple.mail 


2020-04-27 21:39:00 (UTC) com.apple.Safari com.app. 
2020-04-27 21:39:10 (UTC) com.apple.Safari com.app. 
2020-04-29 17:54:40 (UTC) com.apple.Safari com.app. 
2020-04-29 17:64:65 (UTC) com.apple.Safari com.app, 
2020-04-29 17:55:25 (UTC) com.apple.Safari eem app 
2020-04-29 17:55:40 (UTC) com.apple.Safari com.app. 
2020-04-29 17:55:55 (UTC) com.apple.Safari com.app. 
2020-04-29 17:56:35 (UTC) com.apple.Safari com.app. 
2020-04-29 17:56:55 (UTC) com.apple.Safari eem ap 


2020-04-29 17:57:05 (UTC) com.apple.Safari com.app. 


2070-04-20 17:58:00 NITAN 


Group id Activity Type 
com.apple,mail.mailbox 
com.apple.mail.mailbox 
com.apple.mail.message 
com.apple,mail.message 
com.apple.mail. message 


com.apple.mail.message 


Content Description 


User Activity Required $ 
V1O/com.apple.mail. mailt 
V1.0/com.apple.mail.mailt 
V1.0/com.apple.mail.mes: 
V1.0/com.apple.mail.mess 
v1.0/com.apple.mail.mess 


V1.0/com.apple.mail.mese 


google.com/search?client... v1.O/NSUserActivityTypeť 
shift.com/cars/san-francls.... vO/NSUserActivityTypee 
google.com/search?client... vi.0/NSUserActivityTypee 
pelicanparts.com/Porsche.,. V1,0/NSUserActivityTypet 
forums.pelicanparts.com/... vL0/NSUserActivityTypee 
pelicanparts.com/Porsche...  vLO/NSUserActivityTypet 
pelicanparts.com/Porsche... v1.O/NSUserActivityTypeť 
pelicanparts.com/catalog/... V1O/NSUserActivityTypet 
pelicanparts.com/catalog/... v1.0/NSUserActivityTypee 


pelicanparts.com/catalog/.. VLO/NSUserActivityTypee 


wu ` nm 


To see the query used, view the text files associated with the query stored in the APOLLO-master 


directory. 
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Favorites 
E BlackBag Dropbox 
Gi Desktop 
[ Documents 
© Downloads 
As Applications 

Locations 
@ Macssp 
@ Network 


E APOLLO-master 


E Macsso > Bit Users 


> E modules r 
README.md 
® apollo.py 


> P Library > lili Applicat 


locationd_cachee...llocationlocal.txt 
locationd_cachee...B_passharvest.txt 
locationd_cachee...arvestlocation.txt 
locationd_cachee...cationharvest.txt 
locationd_cachee...macelllocation.txt 
locationd_cachee,..6_wifilocation.txt 
locationd_cachee...cationharvest.txt 
locationd_cachee...cationharvest.txt 
locationd_cachee...onstatehistory.txt 
locationd_cachee....nataliehistory.txt 
locationd_cachee...pcounthistory.txt 
netusage_zliverouteperf.txt 
netusage_zliveusage.txt 
netusage_zprocess.txt 
passes23_wallet_passes.txt 
passes23_wallet_transactions.txt 
powerlog_accessory.connection.txt 
powerlog_airdrop.txt 
powerlog_app_audio.txt 
powerlog_app_deletion.txt 
powerlog_app_info.txt 
powerlog_app_nowplaying.txt 
powerlog_app_usage_by_hour.txt 


jag > ll BlackLigh > fi Plugins > lim APOLL 


[Module Metadata] 
AUTHOR=Sarah Edwards/ 
macdn6.com/@iamevitwin 
MODULE_NOTES=Get a Listing 
of applications and 
associated data (app name, 
executable name, bundle ID, 
app version, app type and 
deletion date/status). Not 
really a log per se, but a 
good Listing of application 
information. App Types: 
1="Background 105 Service", 
32405 Native Apps, 4=3rd 
Party Apps 


[Database Metadata) 
DATABASE=CurrentPower loa. PL. 


powerlog_app_info.txt 
Plain Text Document - 2 KB 
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During a forensic analysis, you can tag items of interest. You can use tags and tag folders to 
organize groups of similar or related items, and then include tagged evidence in the examiner 
report. 


This chapter provides these topics about tagging in Cellebrite Inspector. 


e Create alag 
e Choose Metadata for a Tag 


e Create a Tag Folder 

e [Tags View 

e Tagging Evidence 

e Deleting Tags and Tag Folders 


Create a Tag 


You can tag almost any item in Inspector, such as pictures, text messages, calls, .plist 
information, and so on. Keep the examiner report in mind while you tag items. It's a good idea to 
tag similar items with the same tag to keep them together in the report. For instance, create one 
tag to group phone data together, another for Internet files, and two tags to group pictures [one 
for censored and one for uncensored). 


You can create tags during the course of an examination as you select items of interest. Or, if you 
have a plan in mind, you can create tags before you begin selecting items of interest. 


1. Choose one of these actions. 


Create a tag before Inthe Component list to the right of TAGS, click Add > Add Evidence Tag. 
you select an item. 


Select anitem and In any Inspector view, select an item of interest, then choose one of 
then create a tag. these actions. 


a. Onthe menu bar, click Tags > Tag <artifact> As, where <artifact> is 
the type of item you selected, and then click New Tag. 
b. Open the context menu with that item selected, then click Tag 


<artifact> As, where <artifact> is the type of item you selected, 
and then click New Tag. 


Tag Name: | IME 
Tag Folder: |/ ~| [M] Export Files with Report 


Censor Pictures and Videos 


Narrative: 


2. Inthe Tag Name field, type a brief, unique descriptive name for this tag. 
The default name is Tag <#>, where <#> is an incremental number. 


oo et S 
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3. If you created a tag folder to contain this tag, in the Tag Folder field, select the appropriate tag 
folder. 

If you select /, the tag will not be contained within a tag folder. 

4. Inthe Narrative field, type appropriate information such as a description of the contents of 
the tag or the reason you created the tag. 

5. To export files with this tag when you create a report, mark the Export Files with Report 
checkbox. 

6. To censor pictures and videos with this tag when you create a report, mark the Censor 
Pictures and Videos checkbox. You must mark this checkbox when the case includes images 
that are sensitive or that cannot be legally possessed by certain parties. 

When this checkbox is marked, the images remain visible in the Tags view while in the 
Report view and the report itself images are censored by blurring them. 
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Choose Metadata for a Tag 


You can edit a tag to choose the metadata to include in a case report for all files with the tag. 


1. Select the appropriate tag. 


& EVIDENCE 


> 
& 
S 
f 


] SE 


Tag Folder: |/ ~| pes Files with Report 
SES Censor Pictures and Videos 


Narrative: 


= Tass 


— jng greater than tmb 


| E oeeggggel 


re em apple Mapsrecents plist 
josh/Librany/SyncedPreterences/com.app 


2. Inthe Tag view, click Configure. 
The Tag Content dialog box appears. 


© Tag Content oO 


Tag Name 
Media 


| Tag Type 
PictureTag 


| Include (drag to reorder) Exclude 
BEID a > 
FileSystemID 
SizeOnDisk 
Extension 
ContentExtension 
Date Created 
Date Changed 
Date Modified 
Date Accessed 
FileSystemOffset 
fsType 

Directory 

Visible 

Locked 

Gamer 


Copy these settings to: 


Reset [ Close 


The Include list shows metadata that is available for this tag type. 
3. Choose any of these actions. 
e To move a metadata item between the Include list and the Exclude list, select it and then 
click the left or right arrow buttons. 


e To arrange metadata items in order of importance, drag and drop them within the 


Include list. This order determines how metadata appears in the Tag view and thus the 
report. 


e To copy these settings to another tag, select the appropriate tag in the Copy these settings 
to field. 


e [o configure a different tag, select the appropriate tag in the Tag Name field and then 
perform any of these actions. 
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Create a Tag Folder 


In the Tags view, tags are only sorted alphabetically; you cannot reorder them. You can create 
tag folders to help you manage large numbers of tags and influence how tags appear in Tags 
view, in Reports, and in Portable Cases. 


Tag folders contain groups of tags. You can create a tag folder hierarchy with depth. Tag folders 
appear in alphabetical order below all tags that are not contained within a tag folder. Within a 
folder, Tags appear in alphabetical order. 


EVIDENCE a| 


& ACTIVITY 


H TAGS 


+ 
> 
a 
a 


| E oeepppgegn) 


"` jpg greater than 1mb 
“> toronto 
S Ø First Tag Folder 
` recent 
E Ø Insights 
`" apple keychain 
` device connections 
© spotlight 


“> trash 


CONTENT SEARCHES + Add 


SH 


1. In the Component list to the right of TAGS, click Add > Add Evidence Tag Folder. 
A new tag folder appears under TAGS in the Component list. The default name is Tag Folder 
<#> where <#> is an incremental number. 


EVIDENCE A 
D ACTIVITY 
`. jpg greater than 1.. €25) 
` toronto (12) 
B Ø First Tag Folder (830) 
~ recent (830) 
E insights & 


“2 apple keychain EH 
` device connections (Gel 
v 

“> spotlight E 
` trash (a) 


(@ Tag Folder 1 
CONTENT SEARCHES 


E INDEX SEARCHES + Add 
v 


2. Select the new tag folder. 


Folder Name: | Tag Folder 1 


Folder Parent: / {v 


Narrative: 
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3. In the Folder Name field, type a brief, unique descriptive name for this tag folder. 

4. Ifyou want this tag folder to have a parent tag folder, select the appropriate folder in the 
Folder Parent field. 
If you select /, the tag folder will not be nested within another tag folder. 

5. Inthe Narrative field, type appropriate information such as a description of the tag folder or 
the reason you created the tag folder. 


Using tag folders also affects views and outputs for Report and Portable Case. For more 
information see these topics: 


e Ordering Tags and Tagged Items in Reports 
e Generating and Exporting the Examiner Report 
e Select Data for a Portable Case 


Tags View 

The Tags view is one of the most important views in Cellebrite Inspector. This is where you 
organize evidence before you create the examiner's report. For more information, see Reporting. 
You cannot see the Tags view until you create a tag. For more information, see Create a Tag. 


When you create tags and apply tags to items, they populate the list of tags in the Component list 
and the Content pane in the Tags view. 


To see the Tags view, select any tag or tag folder in the Component List. 


Œ EVIDENCE Sei Tag Name | toronto 


| Configure 


Tag Folder: |/ — [Export Files with Report 
© activity 
[ Censor Pictures and Videos 


Narrative: 


E Tags 


` jpg greater than 1mb 


Locations Location (12 items) 


| 8 oeepgggbel 


Field Value 


Hex Strings (Preview Metadata Location Æ Record EES S 


> 


BETID: 117455 
FileSysteml.. 8594517471 


Show on Google Maps... 


Name: comapple Maps-comapple Mapsrecents.plist Property Value Wi 
Path: /Users/josh/Library/SyncedPreferences/com.apf FERE E EE 
Size: 11029 X 


SizeOnDisk: 11029 Deeg 
Extension: plist ? Vale 
ContentExt.. PLIST 


Data Creat 7010-19-90 Tease? NTO 
< 


(of 12) - /Racer - Data/Users/josh/Library/SyncedPreferences/com.apple Maps-com.apple Maps recents plist 
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Actions in the Tag View 


You can expand or collapse items in the Content pane create more space to view other items. By 
default, items are expanded. In the upper right corner of each item in the Content pane, click 
expand or collapse. 


These are the other options for tagged items. 


Sin 


Click to add a note to the selected tagged item. 
o The tagged item has a note. Click to see or edit the note. 


D The tagged item has associated metadata. Click to change the metadata selections 
included in the examiner report. 


` The tagged item has geolocation data. Click to add the location map along with the 
item. The icon is green when it is selected. 
Change the Order of Items within a Tag 


You can rearrange tagged items within a tag. Tagged items appear in the examiner report in the 
same order they appear in the Tag view. 


On the far-right side of the tagged item is a handle. Grab and hold the handle and drag the item 
up or down to move it in the list. Release the item in the appropriate position in the list. 


Flies (5 Items) 


Name: AFC-Info.plist R 
Path: /AFC-Info.plist B 
Size: 2047 (1.9 KB) 

Name: promotions.sqlite D 
Path: /mobile/Applications/com.naveenium.foursquare/Library/Caches/promotions. sqlite D 
Size: 20480 (20.0 KB) 

Name: googleanalytics.sal D 
Path: /mobile/Applications/com.buzzfeed.buzzfeed/Library/googleanalytics.sql D D 
Size: 28672 (28.0 KB) 

splash L+ 
Path: /mobile/Applications/com.naveenium.foursquare/Library/Caches/DataDiskCache/cache.db B 
Size: 12288 (12.0 KB) 

Name: recents.db 

Path: /mobile/Applications/com.google.GVDialer/Documents/recents.db B 


Size: 6144 (6.0 KB) 
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Move Items to a Different Tag 


You can move tagged items to other tags by dragging and dropping. Select one or several tagged 
items and drag them to a different tag in the Component List. If more than one item is selected, 
ared number badge indicates the quantity of tagged items being moved 


When items are moved to a different tag, a gray border appears around the destination tag 
name. When the correct destination tag is selected, drop the items. The number badges for both 
the source and destination tags reflect their new quantity of tagged items. 


Edit a Tag 


You can change the name of a tag by typing its new name in the Tag Name field. Similarly, you can 
change what tag folder contains a tag, add or edit the narrative for a tag, and change settings for 
exporting files with a report and censoring images. For more information, see Create a Taq. 


Tagging Evidence 


Inspector automatically assigns a keyboard shortcut to each new tag as it is created. For 
example, the first tag's shortcut is CMD+1 (Mac) or CTRL+1 [Windows], the second tag's shortcut 
is CMD+2 or CTRL+2, and so forth. 


There are many ways to tag evidence. Begin by selecting any item from one of the panes or views 
in the Case window, then use the approach you prefer. 


e Onthe menu bar, click Tags > Tag <Item Type> As. 

e Open the context menu and click Tag <Item Type> As. 

e Drag and drop the item from the Case window onto an existing tag. 

e Press the shortcut keys for a specific tag. To see shortcut keys for all the tags in the 
Component list, select an evidence item and then hold down the CMD key (Mac) or the CTRL 
key (Windows). 

e Press the shortcut keys for the tag last used, CMD+T (Mac) or CTRL+T (Windows). 


The label of the Tag <Item Type> As menu option reflects the type of item you have selected. For 
example, if a .plist item is selected for tagging, the label of the menu option is Tag Plist Data As. 
If an SQLite database element is selected, the label changes to Tag SQLite Record As. 


Tagged files are marked with a tag Icon. 
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In the Tags section of the Component list, a number badge shows how many items each tag 
contains. 


© EVIDENCE 


a M] CG Bennett-Computer-20052... 


€ ACTIVITY 


E Evidence Status 
® Export Status 


E TAGS +A 
"` Email 
‘ Calls 
"` SMS 
D Tag2 


0000k 


CONTENT SEARCHES + Add 


E) INDEX SEARCHES + Add 


©. New Index Search 


INVESTIGATIVE NOTES + Add 


Tagging File Content 


You can tag a piece of file content or parsed information without tagging the entire file. This is 
useful to tag items of interest parsed by Inspector or contained within .plist files, SQLite 
databases, and so forth. 


For each category in Actionable Intel, there is a corresponding tagging submenu [such as Device 
Backups, Device Connections, Air Drop, Apple Keychain, Apple Spotlight Shortcuts, and so on). 
Similarly, there are corresponding tagging submenus for each sub-view in Communications, 
Locations, Internet, Productivity, and System. Data tagged from Plugins is tagged as the data 
type Plugins. 
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These are the other content-aware data types. 


Content Description 


Plist Data Individual items from within a Plist file 

SQLite Record Individual record from with an SQLite database 
Hex Data Hexadecimal data 

Text Highlighted text 


Under most circumstances, the parent file containing tagged file content is marked with a tag 
icon to Indicate it contains tagged content. A single tagged .plist file item or a single tagged 
database record also has a tag icon that is visible in the File Content view, but some tagged 
content items, including tagged text snippets and hex data, do not. 


Tagged .plist items may appear to have some numbering inconsistencies. For example, if a 
single .plist item is tagged as item number 4, it may appear in Tags view and Case Report view 
as item number 0. This happens because .plist files store data in arrays. Data in these arrays are 
not stored with corresponding numerical values. 


Tagging Email 


If email previews must be included in the examiner report or a portable case, you must tag the 
email from within the Email sub-view of the Communications view or from Index Search when 
the Type field is Email. Email tagged in any other view, such as File Filter or in search results, 
does not result in previews in a report. For more information, see these topics: 


e Inspector Preferences or Options 
e Create a Tag 
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Tagging External Content 
External items such as a screenshot can be tagged and added to the case if necessary. 


If a file cannot be displayed in Inspector, export the file and open it in its native application. Take 
a screenshot and save it to the desktop. Select the appropriate tag in the Component list. Drag 
the file from the desktop and drop it into the Content pane. 


‘Commnicaos wesseoe 2 is) =). 


O; New Index Search = 
A Record 3 


Sinz Stins “Preview Metadata ` $ Location 


INVESTIGATIVE NOTES. 


Lol 
1 INDEX SEARCHES =a 
Lol 


mai Value 


ven es 
E E  Bennet-Cornputer-200521601 zi a l ] 
Narrative: | [Export Files with Report 
B amun De 


B Evidence Status 
$ Export Status Jate Read: 2010-11-29 025618 (UTC) 
ate Delivered 2010-11-28 025618 (UTC) 


a mas 
` Email 
© calls 
BEG 


at wr) 
ete Delivered 2010-11-28 02:56:10 (UTC) 


CONTENT SEARCHES [acs 
[5 INDEX SEARCHES | 
© Newnes Sesreh 
INVESTIGATIVE NOTES | 


mai Value 


eral eo = 
RT Ha Strings ë Preview $@Metadata Location A Record 2 
= Gë 


 20210304.231045-5abde03 ` DES 


This drag-and-drop method is the only way to add external content to an Inspector case. 


The process of tagging large amounts of items happens in the background, which allows you to 
accomplish other work in the case. If you close the case while tagging is still happening in the 
background, you can then choose to keep the case open so you don't lose all items still in 
process. 
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Deleting Tags and Tag Folders 


Items can be removed from tags, and the tags themselves can be deleted. 


In any view except Tags and Browser view, select one or several tagged items, open the context 
menu, and then click Remove <Item Type> From Tag. Every tag container the items are stored In is 
listed. You can select all or one of the tag containers to remove the items from. 


EVIDENCE E 
[E] 3 Bennett-Computer-200520.E01 SS 
Gamm 
P Evidence Status at 
© Export Status D 
® 5 
= TAGs » o 
` Email ois e ing 2010-11-29 02:56:18 (UTC) To 
Call AW ms Outgoing 2010-11-29 02:56:18 (UTC) To SS SC 
` sMs ol o ae Outgoing 2010-11-30 19:33:57 (UTC) Ma, thisisthe zi Eege 
"bei o |> @ ss Outgoing 2010-11-30 19:33:57 (UTC) Jump To Hex Offset SH 
» © Ms Outgoing 2010-11-30 19:33:57 (UIC) Ha, this isthe 
CONTENT SEARCHES: y O ae Outgoing 2010-11-30 19:33:57 (UTC) 
som Outgoing 2010-11-30 19:33:57 (UTC) SMa, this isthe 
E INDEX SEARCHES » @ ms Outgoing 2010-11-30 19:33:57 (UTC) 
d. New Index Search Jr © sms Outgoing 2010-11-30 19:33:57 (UTC) Ha, this is the R 
Feld Value = , H 
BETID: 1815017 D eegen 
FileSystem... 417959 To 
Neme: chatdb 
Pathi /Uscs/josh/Library/Messages/chaldty 
« = = 
| 20210304.231045-Sabde03 (1 of 6,205) ~ /Racer - Data/Users/josh/Library/Messages/chat.db 


In the Tags view, you can use the Tags menu, the context menu, or the Edit menu to take these 
actions. 


e Select and delete any or all items from a tag but keep the tag itself. 
e Select a tag to delete it and remove all items in that tag. 
e Select a tag folder to delete it as well as all tags and tagged items within it. 
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The Classification feature in Cellebrite Inspector provides another facet for identifying evidence 
items and managing how they are seen in portable cases and reports. 


This chapter provides this information about Classification. 


e Define Classifications 

e Classify Items 

e See Classified Items 

e Filter by Classification 

e Remove Classifications from Items 

e Apply and Remove Classifications with Tags 


Define Classifications 


The first three classifications, Privileged, Sensitive, and Relevant, cannot be edited. You can 
define the remaining seven classifications as necessary. 


1. Open or create a case file and then click Manage > Classifications. 
The Classifications dialog box appears. 

2. Select any classification other than Privileged, Sensitive, or Relevant. 

3. For the selected classification, click in the Description column. 


© Classifications 


Click on a row to select it and then click on the description to edit it. 
Descriptions in italics are predefined and may not be changed. 


The item count represents the number of items that are assigned to 
the classification. 


Description Item Count 
Privileged 4 
Sensitive 4 
Relevant 3 
Technical Publications 18 
Classification #5 0 
Classification #6 0 
Classification #7 0 
Classification #8 0 
Classification #9 0 
Classification #10 0 


Close 


4. Type the appropriate name for this classification and then press ENTER. 


Classify Items 


You can classify evidence items in all views Individually or with several items selected at once. 
You can apply more than one classification. 


e Select the item, click Classifications > Classify Files As, and then select the appropriate 
classification. 

e Select the item, open the context menu, click Classifications > Classify Files As, and then select 
the appropriate classification. 
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See Classified Items 


The Classification column is available in all views as the last column. You can sort this column. 


- D xX 
Size Extension Content Extension Locked MDs - 1D Classifications 
166540 
166604 Technical Publications 
166614 Privileged, Technical Publications 
166619 Relevant, Technical Publications 
166607 Sensitive, Technical Publications 
166613 Technical Publications 
166606 Privileged, Relevant, Technical Publications] 
166612 Technical Publications 
166611 Technical Publications 
166617 Technical Publications 
166618 Technical Publications 
60KB CC5D05361CD210BA.. 166605 Technical Publications 
— rfd 166630 
Preview Metadata ` $ Location J Record EES = 


Type Value (Little Endian) 


Multiple classifications are separated by commas and the order is always the same as the list of 
classifications. 


Filter by Classification 


Classification is available in the File Filter view and when filtering within specific views. 


Saved Filters: | z 


AIL m | + condition + (group) 


Classification v | Technical Publications E 


C Invert Filter [Ignore Folders and Duplicate Files Reset.. | | Save This Filter ` Filter 


Content Extension Path Directory Locked Hidden Cate... MD5 Entropy Classifications 
/Users/josh.. Yes No No Technical Publications 
/Users/josh.. No No No CC5D05361CD210BA084C41506D7E8C. Technical Publications 
/Users/josh.. Yes No No Privileged, Relevant, Techni.. 
/Users/josh.. Yes No No Sensitive, Technical Publica.. 
PLIST /Users/josh.. No No No E831748696BA77F26B46E19E9DD0F751 Sensitive, Technical Publica.. 
PLIST /Users/josh.. No No No 0078009BEA29947D27EE8E5EF88B8D96 Sensitive, Technical Publica.. 
PLIST /Users/josh.. No No No 0078009BEA29947D27EE8E5EF88B8D96 Sensitive, Technical Publica.. 
/Users/josh.. Yes No No Technical Publications 
/Users/josh.. Yes No No Technical Publications 
/Users/josh.. Yes No No Technical Publications 
/Users/josh.. Yes No No Privileged, Technical Public.. 
PLIST /Users/josh.. No No No 586FA27A6CB9D18BA4EBBF82A8C065... Privileged, Technical Public.. 
PLIST /Users/josh.. No No No 54681F47E661EFD3086F36EDE3F82905 Privileged, Technical Public... 


Gren Strings Preview Metadata @ Location Record Data Interpreter v 


Remove Classifications from Items 


You can remove all or any single classification from items. 


e Select the item, click Classifications > Remove Classification from Files, and then select either 
the appropriate classification or click All. 

e Select the item, open the context menu, click Classifications > Remove Classification from Files, 
and then select either the appropriate classification or click All. 
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Apply and Remove Classifications with Tags 
You can use tags as a means to apply classifications to items and remove classifications from 


items. 


1. Under TAGS in the Component list, click the appropriate tag. 
2. Choose either of these actions. 


e Toapply a classification to all items with this tag, open the context menu, click Classify 
Tagged Items As, and then click the appropriate tag. 

e Toremove a classification from all items with this tag, open the context menu, click 
Remove Classification from Tagged Items, and then click the appropriate tag or click All. 


For more information, see Tags. 
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Reporting 


This chapter provides these topics about reporting in Cellebrite Inspector. 


e Report View 
e Ordering Tags and Tagged Items in Reports 


e Reporting Device Details 
e Generating and Exporting the Examiner Report 


Report View 


In the toolbar, click Report. Options for the examiner report appear along with a report preview. 


You can create a simple report that details all of the information without first tagging everything 
in the case. In the report side bar, click Case Data. This lets you quickly select everything or 
select only certain things to report on. To select all or none, press SHIFT while you click on the 
report element header. 


HF Cellebrite "oo A Cellebrite Vatiiëz 
come Ee Digital Forensics Report 


Case Name Inspector Case 
Case Number | 
Report Date 2021-03-18 
Examiner Name | 
Examiner Title 
Examiner Company 
Examiner Address 
Examiner Email | 
Examiner Phone 


Examiner Fax 


You can customize the report logo by dragging and dropping a new logo on top of the Cellebrite 
logo. Alternatively, you can click the logo to select a new one. 


You can select evidence items to report on, then click Configuration (the wheel icon) to the right 
of Case Data. Choose Selected evidence items from the menu, and only those items will appear in 
the report. 


Report Elements Export R H > 

Er Digital Forensics Re 
D @ thee 

> © Gi pagefile.sys 

> E hiberfil.sys 

> `" Evidence Tags i 

v 


Lau v All evidence items 
m Selected evidence items, currently (2) (6) (7) (10) 


Calls 
@ Contacts | 
Device Backups | 
Device Connections 


Case Name | Bennett 


Case Number 


HTML reports are broken down into smaller pages to make it easier to load onto systems. 
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Items in the Report Elements list correspond to items in the Case Info view, and the Evidence 
and Tags sections of the Component list. You can include a table of contents that links to each 
section of the report. The Contents section links works in reports exported to bim, .pdf, or .docx 
format. 


To include Report Element items in the examiner report, on the left side of each item, mark the 
checkbox next to the necessary items. To exclude items, unmark the necessary checkboxes. 


You can also change the order of items in the report. For more information, see Ordering Tags 
and Tagged Items in Reports. 


Ordering Tags and Tagged Items in Reports 


In the Report view, the order of items in the Evidence Tags section of the Report Elements list is 
the order in which they will appear in the examiner's report. Elements at the top of the list 
appear first in the examiner report. Therefore, it's a good idea to move the most important 
evidence tags toward the top of the list so they appear earlier in the report. 


You can select tags and tag folders and drag them up or down within the Evidence Tags section 
of the Reports Element list. Click and drag items up or down and release them in the appropriate 
location. 


Report Elements Export Report Elements Export 
O E Cover Page O E Cover Page 
O @ case Info O @ case Info 
CO 7 Contents CO 1 Contents 
Ia cet" 
II" Evidence Tags = [] ©. Evidence Tags 
C] jpg greater than 1mb C 3 O G@ Insights o 
C] toronto W C] apple keychain o 
3 [O @ Tag Folder 1 C C] trash o 
C] recent O [C] device connections o 
3 [] @ Insights E C] spotlight g 
1 apple keychain | C] toronto o 
|] device connections C] 3 [O Tag Folder 1 o 
C trash W [C] recent 0O 
C] spotlight C C jpg greater than 1mb o 
koa kaá 


+ g = Case Data (all available) + o = Case Data (all available) 


When you select a tag folder in the Report Elements list, all tags within that folder are selected. 
You can also select or deselect individual tags within a tag folder. While tag folders do not 
appear in the examiner's report, selected tags within a tag folder do appear in their order within 
the tag folder. You cannot move a tag out of its tag folder in Report view. 
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You cannot reorder individual tagged items in the Report view, but you can reorder them in the 
Tags view. 


1. Select the appropriate tag under TAGS in the Component list. 
In the Content pane, all items with the selected tag appear. 


Files (5 Items) = 


Name: AFC-Info.plist DI 
Path: /AFC-Info.plist B 
Size: 2047 (1.9 KB) 
Name: promotions. sqlite 7 R 
Path: /mobile/Applications/com.naveenium foursquare/Library/Caches/promotions sqlite B 
Size: 20480 (20.0 KB) 
Name: googleanalytics.sal D 
Path: /mobile/Applications/com.buzzfeed. buzzfeed/Libraryigoogleanalytics.sql D X 
Size: 28672 (28.0 KB) 

pee mal 
Path: /mobile/Applications/com.naveenium foursquare/Library/Caches/DataDiskCache/cache.db D = 
Size: 12288 (12.0 KB) 
Name: recents.db E 
Path: Imobile/Applications/com.google.GVDialer/Documents/recents. db D 


Size: 6144 (6.0 KB) 


2. Grab and hold the handle on the far-right side of the appropriate tag and drag the item up or 
down to move it in the list. 

3. Release the item in the appropriate position in the list. 

4. To see the item's new location in the examiner's report preview, click Report in the toolbar. 


You may find it helpful to see both the Tags view and the Report view at the same time. 


On the menu bar click Window > New Window for this Case. 

Place the two windows side by side. 

Select a tag in one window, and on the toolbar in the other window, click Report. 
In the Tags window, select a tag and reorder the items within the tag. 

In toolbar of the Report window, click Report to refresh the report preview. 
Tagged items appear in their new order in the report. 


OV? Cen 
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Reporting Device Details 


Reporting 


You can show or hide data associated with each device in the Report Elements list. Disk image 
partitions and unallocated space are listed separately, and a checkbox appears to the left of 
each. Conversely, each device representing a logical acquisition, such as an evidence folder or 
an iOS device backup, normally has only one data item with one checkbox associated with it. 


This allows you select or deselect device details (as seen in the Details view) for any device 


partitions appearing in the examiner report. 


Y EVIDENCE + Add 
Y 7 E Bennett-Computer-20082.., 
cer - Data 


7 i © Bootcamp 
D @ @ Bennett-Mem.dmp 
v D O Thes 


Y ACTIVITY 
RB Evidence Status 
© Export Status 
TAGS 


CONTENT SEARCHES 


Y INDEX SEARCHES 


QL walking dead 


investicarivenores PS 


Field Value 
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Digital Forensics Report 


Report Date: 3/18/2021 


HTML © Generate Report 


Y C E Bennett-Computer-200520 


Racer - Data 
E Racer 
E) BOOTCAMP 


Path 


JUsers/drew/Desktop/Inspector Case.inspector/Partitions/A71365073F692 
1365073F692E5F4AE14680AF98A401/Files 


Type 


iOSBackupEncrypted 


Sector Size 


512 


Initial Report Writer Case 
Version 


Inspector 10.3 


Name 


The6 


‘Snapshot 


Not Available 


Snapshot Date 


Not Available 


Model Version 


iPhone 8 (Model A1863, A1905, A1906, A1907) 


Carrier 


Not Available 


Capacity 


Not Available 


Phone Number 


(240) 494-6399 


Cellular Usage 


Data Available 


+14083340589, +16475639559, +12404946399 


Not Available 


Device details from the Details view cannot be included or excluded individually in the Inspector 
Report view; however, these items are exported separately. Therefore, you may delete them as 
appropriate after the report is generated and exported. 


Generating and Exporting the Examiner Report 


In the top left corner of the Content pane, set the Report Date to the current date, and then select 
an export file format for the report. Examiner reports can be exported as searchable .pdf, .html, 
.docx, .csv, or plain text files. 


To preview the report, drag the scroll bar on the right side of the Content pane up or down [using 
the scroll bar navigation arrows at the bottom of the scroll bar). 


For email previews to be included in reports, you must enable them on the Reports tab of the 
Preferences or Options window for Inspector. For more information, see Inspector Preferences 
or Options. Additionally, the emails must be tagged either within the Email sub-view of the 
Communications view or from Index Search when the Type field is Email, and you must also 
mark the Export checkbox in the Report view. 


You can control whether pictures and videos are censored in the report. For more information, 


see Create a Tag. 
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After all settings are appropriate, click Generate Report. A Save prompt appears. 


Inspector exports the examiner report to a folder with the default name /nspector Report <current 
date and timestamp>. To change the default folder name, type a new folder name into the Save As 
field. Choose a location to save the report and click Save. 


When the report generator finishes creating the report, a Report Complete dialog box appears. 
To see the exported report in the file system, click Reveal Report. To open the report, click Open 
Report. You may view, search, and modify the exported report in an appropriate application, such 
as Microsoft Word [.docx report] or a web browser [.html report). The report folder contains the 
report itself and an Evidence folder. The Evidence folder contains exported files associated with 
tags where the Export checkbox within the Report Elements list was checked. The Evidence 
folder also contains an Export Log. txt file. 


On Mac computers, if you use the default preview app for viewing a report, links may not work. If 
this happens, view the report using Adobe Acrobat Reader DC. 
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Portable Cases 


This chapter provides these topics about portable cases in Cellebrite Inspector. 


e Select Data for a Portable Case 
e Generating and Reviewing a Portable Case 
e Portable Case Interface 


Select Data for a Portable Case 


The Portable Case feature lets you share case data for offline review. A portable case from 
Inspector does not rely on access to the original evidence files. Instead, logical evidence files are 
created. These include only data selected for sharing as part of the portable case file. 


To create a portable case file, click Share on the toolbar. From the parsed evidence items listed 
in the Component list, select the evidence to include in the portable case. The Content pane 
contains these areas: Extracted Data, Tag, and Search. By default, all data in each area is selected 
for inclusion. Most likely, you will need to modify selections in each area. 


o EVIDENCE | + Add ENI Select items to be included in the Portable Case: 


Œ activity Extracted Data Tag Search Export Files 


© © jpg greater than 1mb 


ae 
a 


5 Tags E è toronto 
3 jpg greater than 1.. ED 7) 5 ©) Gi insights | 
` toronto ja E © Locations (967) © apple keychain | 
E fia Insights mn DI @ intemet (51) DI ` device connections 
Y apple keychain È E Å Productivity (0) ` spotlight 


H" trash 
| 5 | B Tag Folder 1 
D" recent 


So device cont 


" spotlight 


" wash 
© È Tag Folder 1 
`. recent 
Limit Extracted Data to date range: 


5112/2021 Del to | & 3/2021 Br 


CONTENT SEARCHES: 


v 


Field Value | Limit Extracted Data to selected Classifications: 
vi 


Include Portable Case Reader for: [z] Windows Mac Exporting data from all evidence items Generate Portable Case 


Note: For email previews to be included in a portable case, you must enable them on the 
Reports tab of the Preferences or Options window for Inspector. For more information, see 
Inspector Preferences or Options. Additionally, the emails must be tagged either within the 
Email sub-view of the Communications view or from Index Search when the Type field is Email, 
and you must also mark the Export Files checkbox for the appropriate items in the Share view. 


You can also control whether pictures and videos are censored in the portable case. For more 
information, see Create a Tag. 
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Extracted Data 


In Extracted Data, sections of Inspector where data is parsed are listed, including Actionable 
Intel, Communications, Media, Locations, Internet, and Productivity. For each section, the 
associated processing options must be run for data to be parsed. For example, if Video Analysis 
has not been run, no Videos will be listed for extraction in the Media section. In parentheses after 
each section label, the number of items parsed for that label is listed. If the number of items for 
a section is listed as (0), either no data of that type was parsed from evidence or the processing 
option to parse that data has not been run. As items are selected or deselected in the 
Component list these numbers automatically adjust. 


For each Extracted Data type selected, the associated files are exported into a logical evidence 
file for inclusion in the portable case. For some Extracted Data types, such as Media, the number 
of files and the size of the files for an evidence item can be quite large. Keep this is mind while 
you choose data to include in portable cases. 


You can show or hide sub-views parsed for 


Extracted Data types. Some sub-views have SS 
additional sub-views. To exclude an Extracted a HI @ Actionable Intel (458) 
Data type from the portable case, unmark the a Li We Communication (222) 
checkbox for that data type. a] éi Media (197) 
Below the Extracted Data list, you can mark : = e Seen 
the checkbox for Limit Extracted Data to date em 

+ |) © Productivity (0) 


range. Do this to specify a date range to limit 
the data included in the portable case to a time 
period of interest to the reviewer. Limiting the 
data based on a date range may be useful in 
cases where the reviewer is only allowed to 
see items from a Specific period of time. With 


this enabled, the number of items for each v] Limit Extracted Data to date range: 

Extracted Data section is adjusted to show the 5/12/2021 B~ | to [| 8/ 3/2021 Dr 

number of items that fall within the specified 

date ran g e. Limit Extracted Data to selected Classifications: 
Privileged 


C] Sensitive 

Relevant 

Technical Publications 
Classification #5 
Classification #6 
Classification #7 
Classification #8 
Classification #9 

|_| Classification #10 


Below the date range limitation, you can 
choose classifications. For more information, 
see Classifications in Portable Cases. 


OOL 
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Include Portable Case Reader for: |“) Windows [V] Mac 
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Tag 


All the tags and tag folders you created in this case file appear in the Tag area of the Share view. 
The name of the tag appears with the number of items included in the tag. Just like creating a 
report in Inspector, there is an option to Export Files for each tag. When you choose this option, 
the files associated with the tagged data are exported into the portable case and stored ina 
logical evidence file. 


LJ" jpg greater than 1mb 
LJ" toronto 
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For more information, see Tags. 
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Search 


The Search area in the Share view lists the content searches performed. Content searches 
locate data based on keywords. This mechanism can be used to effectively limit the data in the 
portable case based on keywords of interest to the reviewer. While content searches cannot be 
limited by a date range in the Share view, data can be filtered when running a content search by 
date. 


Saved Searches: 
Options 
Search: Content only 


Case Sensitive 


Any Unicode (UTF16) 
Date Created is between 1/ 1/2019 > “iM and 12/30/2019 3) a DeepSearch @ 
Date Modified is between 1/ 1/2019 "ED and 12/30/2019 > At Skip Files Larger Than: 
Date Added is between 1/ 1/2019 > RS and 12/30/2019 > Maal 2 ep 
Date Accessed is between 1/ 1/2019 2 PR and 12/30/2019 > Pa SEET 


Files that Match Filter 

Current Unsaved Filter 
Regular Expression Keyword 

Add Preset: 


Selected Keyword is RegEx Pattern 


Content searches selected for inclusion are available in the portable case. 


Classifications in Portable Cases 


When you create a portable case, you can limit extracted data with classifications. If you select 
any classifications, only data with the selected classifications appears in the portable case, as 
well as data with no classifications. Data with different (not selected] classifications does not 
appear in the portable case. 


Tech Pubsinspector (Z2) = 0 X 


File Edit Action ifications View Manage Window Help 
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# 2) ® Actionable intel (5) EZ * apple keychain GEI 
E TAGS H] Se Communication (0) Hl" device connections Ge 
# Ji Dé Media (0) H' jpg nimb @ M 
CONTENT SEARCHES EEUE © Locations (0) LI" recent On 
© A ® Internet 0) A ® spotlight GE 
INDEX SEARCHES, BS — 7 O Productivity o E % toronto LE 
B® wash ou 
INVESTIGATIVE Notes ` RÉG extracted Data to date range: 


[5712/2021 ~] to | 8/ 3/2021 


Limit Extracted Data to selected Classifications: 
[] Privileged 


Field Value 


Include Portable Case Reader for: [¥] Windows ` Ne Exporting data from all evidence items Generate Portable Case 


< 
20210801.052534-bbb5388 
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For example, consider a case using the three pre-defined classifications, Privileged, Sensitive, 
and Relevant. Some data is only classified once, some twice, and some with all three 
classifications. When you create a portable case, you choose to include only data classified as 
Sensitive and Relevant; you do not select Privileged. In the portable case, this is the result. 


e Datac 
e Datac 
e Datac 
e Datac 


assified only as Privileged does not appear. 

assified as either or both Sensitive and Relevant does appear. 

assified as Privileged and also either Sensitive or Relevant does appear. 
assified with all three classifications does appear. 


Generating and Reviewing a Portable Case 


Once items have been selected to be included in the portable case, you can choose which 
Inspector Portable Case readers will be exported with the portable case data. By default, 
Portable Case readers for both Windows and Mac computers are selected. Leave them both 
selected if you don't know exactly which platform will be used to review the case. Click Generate 
Portable Case. 


Include executables: Windows Mac Exporting data from all evidence items Generate Portable Case 


If indexing was run on the evidence items selected for export, a new Index will be created 
containing only the evidence items that fit the criteria for inclusion. The default name of the 
portable case file is taken from the name of the Inspector case file. When one or more reader is 
included, a folder is created for the portable case which contains the portable case file and the 
readers. The folder name matches the portable case name. 


Once portable case generation begins, the bottom of the Content pane reveals the status. The 
data is prepared and then exported into a .PortableCase file. Like an Inspector case file, on Mac 
computers the .PortableCase file is a bundle that contains files and folders. The .PortableCase 
file is created in a folder along with the selected readers in a compressed format. If no readers 
were Included, only the .PortableCase file is created. This example shows portable cases created 
with both readers included, one reader included, and no reader included. 


Name Size Kind 
v B Bennett -- Folder 
@ Bennett.PortableCase 28.32 GB Portable Case 
i Portable Case 10.1_macOS64.zip 1.08 GB ZIP archive 
i Portable Case 10.1_win64.zip 1.17GB ZIP archive 
v B Search -- Folder 
V Portable Case 10.1_win64.zip 1.17GB ZIP archive 


SS Search.PortableCase 27.48 GB Portable Case 
SS Tag.PortableCase 255.9 MB Portable Case 


The size of the portable case depends on what data was included in the export. 


Reviewing a Portable Case 


Once a portable case is created, you should open it with Cellebrite Inspector to review the 
contents and ensure the appropriate data was Included. If any information was missed when the 
portable case was generated, you must create a new portable case. Data cannot be added to a 
portable case file. 
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Portable Case Interface 


The Inspector Portable Case reader resembles Cellebrite Inspector. When you open a portable 
case file with Inspector, some functions of Inspector are disabled, in effect creating an 
experience similar to the Portable Case reader. 


Menu Bar 


Options in the menu bar provide access to limited functions. From the menu bar, you can open 
and close cases, save file listings, export selected rows [in tab-delimited or csv format), and 
perform tagging functions. 


P 


@ Inspector Edit Action Tags View Window Help 
eee 30 | 


Open Case... 
Open Recent 


Case Info Timeline Report 


é Inspector File Edit Tags View Window Help 


009 Save File Listing... 
Copy Path 
Quick Look 


Case Info Timeline Report 


@ Inspector File Edit Action View Window Help 
LCE Delete Selected Tag... 


© 9 B 


Case Info Timeline Report 


Toolbar 


The toolbar is used to select the view to show in the Content pane. Some icons always appear. 
Other icons appear only if data corresponding to them was selected or if tags were exported 
when the portable case was generated. For each data category selected, the corresponding icon 
appears. If a portable case contains data only from exported tags and none from Extracted Data, 
the icons correspond to the data contained in the exported tags [with one exception). 


Description 
©) Opens the Case Manager window. 
Case Info: See case details, including Examiner Information, Case Information and 
eee | Case Time Zone Display. 
You may change the Case Time Zone Display. 
Always appears. 
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Button | Description 


(=) Report: See the examiner report. 


SECH | You can generate new reports containing information identified during the review 


process. 


Always appears. 


Browser: See the files included in the portable case, stored in the same structure 
as the original file system. 


You can navigate through the file structure containing the exported files. You can 
see file timestamps, sizes, extensions, and hash values. You can select a column 
heading to sort files by the column attribute. 


Always appears. 


File Filter: See the file filters from Inspector. 


While all file filters are listed, they do not all work. Portable cases maintain limited 
metadata. For example, geolocation metadata is not stored in portable case. The 
built-in saved filter Geo Location is still available in portable cases, but running it 
returns no results. 


Always appears. 


Actionable Intel: See various types of data that can mostly be attributed to a user's 
actions. The data is stored in a tree style menu with sub-views of these items. 


e Device Backups 

e Device Connections 
e Account Usage 

e Downloads 

e File Knowledge 

e Passwords 

e Program Execution 
e Search 


Communication: See sub-views containing calls, messages, posts, voicemail, voice 
memos, favorites, contacts, and email. This includes data parsed from SMS, 
iMessage, and messages from other communication apps such as Skype, 
WhatsApp, Textfree, Kik, and so forth. 


Media: See sub-views containing Pictures, Videos, or Thumbnails, or use the 
Combined sub-view to see all these together. The Videos sub-view includes the 4x4 
mosaics made up of sixteen frame-sequence slices. The Audio sub-view lets you 
see and play audio files. 


This view is available only when Media is selected in the Extracted Data section 
during case generation. Tagged media does not populate the Media view ina 
portable case. 
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Button | Description 


Locations: See this data. 


e Google and Apple Maps usage 

e geolocation data from media files, calendar and social media apps 
e Wi-Fi network information 

e additional location services data 


Internet: See internet history and cache information for Safari, Firefox, Chrome, 
Internet Explorer, and Edge browsers. 


The Internet view displays exported information associated with Safari, Firefox, 
Google Chrome, Internet Explorer, and Edge web browsers. 


Productivity: See data from the Calendar and Notes applications [macOS and iOS). 


Exported search items do not affect the views available in the toolbar. Data included in the 
portable case by means of a content search is accessible in the Browser and File Filter views. 


Component List 
The Component list includes these sections. 


e Evidence 

e Content Searches 
e Index Searches 

e Tags 

e Investigative Notes 


Just as with Inspector, the Evidence section of the Component list contains a hierarchical device 
list. Only evidence items selected when the portable case file was created are listed. The original 
badge numbering from Inspector file transfers to the portable case. In a portable case, evidence 
items can be reordered by highlighting a specific item and dragging it up and down in the list. 
New evidence items cannot be added to the portable case. To review the data In the devices or 
device partitions, they must be selected in the Evidence section. 


The Tags section of the Component list provides access to Tag data included in the portable 
case. Tags exported during portable case generation cannot be altered. The case reviewer can 
create, edit and delete new tags in the portable case. 


The Content Searches section of the Component list allows users to create content searches and 
displays content searches exported into the portable case. Any new content searches are saved 
in the portable case file. To create a new content search, click Add. For more information, see 
search. 


The Index Searches section of the Component list provides access to the Smart Index. If the 
exported data was Indexed in the Inspector case, the portable case will contain a Smart Index. 
Queries of the Smart Index are saved in the portable case file. To create a new Index Search, 
click Add. For more information, see Search. 
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The Investigative Notes section of the Component list provides an area for the case reviewer to 
copy and paste or type In information they wish to note during the case review. To create a new 
Investigative Note, click Add. 


v EVIDENCE 


v @ E Bennett-Computer-20052... 

La O Racer - Data 
La @ Racer 
G © Bootcamp 

@ © Bennett-Mem.dmp 

B O Thes 

@ © Tenisha's iPhone 

©) Ford_iVeExport.ivx 


D 
œ> Calls 


CONTENT SEARCHES 


V INDEX SEARCHES 


H. walking dead 


e INVESTIGATIVE NOTES 


NS) New Investigative Note 1 


Content Pane 


Information displayed in the Content pane depends on the view selected in the toolbar and the 
devices selected in the Evidence section of the Component list. This example shows the Browser 
view. 


<> | 
Name Date Created Date Modified Date Accessed Date Added Version index Size Extension Conf 
> B© soorcame 2009-07-14 02:38:56 (UTC) 2019-11-05 17:49:14 (UTC) 2019-11-05 18:41:16 (UTC) 
v Ga @ Racer - Data 2019-09-29 20:23:29 (UTC) 2020-04-14 15:54:05 (UTC) 2020-05-08 20:52:47 (UTC) 
Y G Applications 2019-09-29 20:23:29 (UTC) 2020-04-14 15:49:47 (UTC) 2020-04-14 15:56:07 (UTC) 
Y B Cigatribe.app 2009-11-09 15:11:10 (UTC) 2009-12-03 10:41:00 (UTC) 2019-10-07 17:55:48 (UTC) ~- app 
Y B Contents 2009-11-09 16:11:10 (UTC) 2009-11-10 11:44:12 (UTC) 2019-10-08 15:56:23 (UTC) 
> (Resources 2009-11-09 16:01:25 (UTC) 2009-11-10 12:00:58 (UTC) 2019-10-08 15:56:23 (UTC) 
Y VO Tenisha's iPhone ~- zip 
Y Groe 2018-03-14 12:24:67 (UTC) 2018-04-25 18:09:00 (UTC) 2018-03-14 12:24:67 (UTC) 
v Gaver 2018-04-25 18:03:18 (UTC) 2018-11-30 19:26:41 (UTC) 2018-10-20 03:59:12 (UTC) 
v movile 2018-04-25 18:08:37 (UTC) 2018-11-30 19:28:17 (UTC) 2018-10-20 03:58:52 (UTC) 
> B Containers 2018-04-25 18:08:39 (UTC) 2018-04-25 18:10:16 (UTC) 2018-04-25 18:08:39 (UTC) 
HE 2018-04-25 18:08:37 (UTC) 2018-11-30 19:29:41 (UTC) 2018-10-20 03:58:51 (UTC) 
> D CallHistoryoB 2018-04-25 18:08:39 (UTC) 2019-02-20 18:67:44 (UTC) 2018-04-25 18:08:39 (UTC) 
> O Thee 
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This example shows the Thumbnails sub-view in the Media view. 


or 
Thumbs.db 


The views for Actionable Intel, Communication, Media, Locations, Internet, and Productivity have 
a file filter. To show or hide the file filter, click Show/Hide Filter (three arrows] at the top right of 
the Content pane. When the Show/Hide Filter button is black, no filter is applied. While at least 
one filter is applied, the button is green. 


File Content View 


With a file selected in the Content pane, the File Content view provides two options to see the 
selected item, Strings or Preview. 


To see ASCII printable strings of three characters or more, click Strings. 
To see a file as it would appear in its native application, click Preview. 


If the selected file is a text file, you can perform a keyword search within the displayed text 
strings in both the Strings view and Preview views. 


$, MM.saiite 2018-03-07 19:11:24 (UTC) 2018-03-07 19:11:24 (UTC) 2018-05-30 15:38:25 (UTC) 304.0 KB sqlite SI 
MM.salite-shm 2018-07-20 14:38:26 (UTC) 2018-08-24 20:54:06 (UTC) 2018-07-20 14:38:26 (UTC) 32.0 KB salite-shm w | 


= strings E Preview © Gaston B 


Friend 


username H lastUpdate intcont intcon2 geng strcont strCon2 strCon3 


Only for Mac computers, you can see the file using Quick Look. In the Content pane, select a file 
and then in the File Content view, click Quick Look (eye button). Quick Look shows native Apple 
application files {and some third-party application files] the same way a user sees them. Audio 
and video files play within Quick Look as well. 
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File Information Pane 


The File Information pane shows metadata associated with a file selected in the Content pane. In 
a portable case file, the shown metadata Is limited to common file system metadata, some 
filesystem metadata unique to APFS and HFS+, and some metadata stored for the file from 
Inspector processing. These fields are available for files in the File Information pane: 


BBTID - The reference ID of a given file or 
folder within Inspector's casefile database 


Date Accessed 
FileSystemOffset 


e FileSystemlD - The filesystem ID parsed fsType 
from the file record e Directory 
e Name e Visible - Displays hidden/visible status 
e Path e Locked - Displays locked/unlocked status 
e Size - Logical size (e.g., read-only] 
e SizeOnDisk e Owner ID (macOS, iOS) 
e Extension - File extension stored in file e Group ID (macOS, iOS) 
system e Permissions (macOS, iOS] 
e Content Extension - Displays the e Entropy 
extension based on content header [file e ForkCount 
signature] e MD5 
e Date Created e SHA1 
e Date Changed e = SHA256 


e Date Modified 


Note: Metadata for directories differs from file metadata. 


Accessing Portable Case Files 


When you install Cellebrite Inspector, you are provided with .zip files containing the portable 
case readers for Mac and Windows computers. 


 InspectorPortableCase-10.3-macOS64.zip 


E= Inspector 10.3 > &  EWMounter 


(=) Inspector H InspectorPortableCase-10.3-win64.zip 
e? Inspector License Server 

( LICENSES > 

E PLUGINS > 


æ User _Guide.pdf 


When the checkboxes for including the executables for Windows and Mac are marked, these .zip 
files are copied into the folder created for the portable case when it is generated. 


Exporting data from alll evidence items Generate Portable Case 


[Include executables: Windows Mac | 


The case reviewer should decompress the .zip file for the version of the Portable Case reader 
appropriate for the operating system of their reviewing computer. 


Inspector Portable Case readers cannot open Inspector case files, do not require installation, 
and do not require an Inspector license. 
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Hash Set and File Signature DB Management 


This chapter provides these topics about hash set and file signature database management for 
Cellebrite Inspector. 


e Hash Sets 

e File Signature Databases 
e PhotoDNA and Project VIC 
e §=C4ALL 


e Semantics21 


Hash Sets 


Cellebrite provides hash sets for use in Cellebrite Inspector from our website. The hash sets 
include a Known OS X System Files hash set and a Known Windows System Files hash set. The 
Known OS X System Files hash set includes MD5 hashes for every system file from OS X 10.0.0 
through OS X 10.15.7 for Intel architectures. The Known Windows System Files hash set includes 
MD5 hashes for Windows version 7, 7.1, 8, 8.1, and 10. 


All hash set databases include only unique file hashes. 


By default, hash sets are saved in the /Application Support/Cellebrite/Hash Sets folder. This folder 
is found in these locations, depending on the operating system of the analysis computer. 


e macOS: /Users/<username>/Library/Application Support/Cellebrite/Inspector/Hash Sets 
e Windows 10: C:\Users\<username>\AppData\Roaming\Cellebrite\Inspector\Hash Sets 


You may also import existing custom Inspector (.blhs), EnCase {6.19 and lower], and NSRL hash 
sets. Hash sets saved as plain text documents may be imported, as long as the document 
contains one hash value per line with each line separated by a carriage return. Hashes contained 
in a plain text document can be MIDD, SHA-1, or SHA-256. Inspector automatically identifies the 
hash type when the file is imported. Custom hash sets created in Inspector are automatically 
saved in the .blhs format and are available for use in all Inspector cases. 


To view and manage hash sets in Cellebrite Inspector, in the menu bar click Manage > Hash Sets. 
There are two ways you can add an Inspector .blhs format hash set. 


e Inthe bottom left corner of the Manage Hash Sets window, click Import and navigate to and 
select the desired hash set. 

e From Finder on Mac computers or File Explorer on Windows computers, drag a hash set 
onto the Manage Hash Sets window. 


You cannot remove bundled Inspector hash sets; however, you can remove custom hash sets 
created using Inspector or imported hash sets. 


e Toremove a hash set, select a hash set in the list, and in the bottom left corner of the 
Manage Hash Sets window click Remove. 


You can import an Encase, NSRL, or text file hash set. 


e Inthe bottom corner of the Manage Hash Sets window, click Import. Navigate to and select 
the hash set, and then click Open. 
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You can generate and save a custom hash set from specific files in any Inspector view. 


1. Select the files of interest either manually, by running a filter, or by selecting all files in the 
case. 
To generate a hash set of every file in a case, open the Browser view, and then select the root 
folder {at the top of the file list). 

2. Inthe menu bar, click Action > Export Hash Set. 

3. Inthe Hash Set Export window, select which hash values to store in the hash set, and then 
click Continue. 


Hash Set Export 
Select hash sets to export. 
MD5 


SHA-1 


SHA-256 


Cancel Continue 


4. Type the name of the hash set, then click Save. 


Before you run a custom hash Set, you should know if the hash set contains SHA-1 or SHA-256 
hash values. By default, Inspector only runs hash comparisons using MD5 hash values. You can 
change the Hash Comparison settings on the General tab in the Preferences window. For more 
information, see Inspector Preferences or Options. 


When this preference is set correctly, you can run this process. 


1. Select Evidence Status in the Component list. 


v ACTIVITY 


L] Evidence Status 


©» Export Status 


CONTENT SEARCHES 
INDEX SEARCHES 


INVESTIGATIVE NOTES 


2. For the appropriate device, click the yellow Play button next to Known Files. 

3. Inthe Hash Sets window, mark the checkbox for the custom hash set, click OK, and wait for 
processing to complete. 
The Known Files column shows Pending until the process is complete. 

4. When the process is complete, select the device in the Component list, and then click File 
Filter in the toolbar. 
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5. Inthe field on the left, select Hash Set, then choose either Files In Hash Set or Files Not In Hash 
Set in the middle field. 


6. Inthe field on the right, select the custom hash set by name, and then click Filter. 
You can repeat this process on multiple devices and compare the results. 
You can rerun a hash set even if it shows as complete in the Hash Sets window. 


1. Ona hash set is shown as Complete, open the context menu and click Rerun. 
2. Now you can mark the checkbox for that hash set and run the hash set again. 


All + condition + (group) 
L Hash set Files in Hash, Known Windows System Fi x 
Invert ter (Ignore Folders and Duplicate Files Reset... Save Ths iter GIS 
X BLID ^ FSID Name Size Mos Date Created Date Modified Date Accessed Date Ac 
GEZ 28 ` $Repair 9.0MB D41D8CD9BFOOB204E9800908ECFS... 2018-12-17 17:06:48 (UTC) 2018-12-17 17:05:48 (UTC) 2018-12-17 17:08:48 (UTC) 
e "e 59974 desktop.ini 129 Bytes A526B9E7C716B348908CC062FBCE... 2018-12-17 14:54:11 (UTC) 2018-12-17 14:54:11 (UTC) 2019-01-24 20:18:07 (UTC) 
D 759 87003 desktop.ini 129 Bytes A526B9E7C716B348908CC062FBCE... 2018-12-17 17:28:53 (UTC) 2018-12-17 17:28:53 (UTC) 2018-12-17 17:28:53 (UTC) 
Ð 77% B9100 desktop.ini 129 Bytes A526B9E7C716B348908CCO62FBCE... 2018-12-17 14:02:31 (UTC) 2018-12-17 14:02:31 (UTC) 2019-01-25 18:07:56 (UTC) 
Ə 79 159414 desktop.ini 129 Bytes AS26B9E7C716B3489D8CCO62FBCE... 2019-01-25 16:31:22 (UTC) 2019-01-26 16:31:22 (UTC) 2019-01-25 18:35:08 (UTC) 
J am 162022 msvep120.dil 644.7 KB 46060C35F6972818BC5E7337AEE372... 2019-01-25 16:37:43 (UTC) 2013-10-05 03:58:24 (UTC) 2019-01-25 17:04:02 (UTC) 
SE 162036 msver120.dll 940.7KB 9C861C079DD8176286C54E3759787... 2019-01-26 16:37:43 (UTC) 2013-10-05 03:58:24 (UTC) 2019-01-25 17:04:02 (UTC) 
@ 1883 20996 ipsid.xmi 25KB 421880588869669602761BE75869F... 2018-04-11 23:36:07 (UTC) 2018-04-11 23:35:07 (UTC) 2018-04-11 23:35:07 (UTC) 
@ 1885 21018 Alphabet.xml 7729KB 6176656C4D6A215BD670D5BD63D3... 2018-04-11 23:35:07 (UTC) 2018-04-12 09:20:29 (UTC) 2018-04-12 09:20:29 (UTC) 


File Signature Databases 


You may create custom file signature databases and apply them during unallocated processing. 
By default, custom signature databases are stored as SQLite files in these locations. 


e on macOS: ~/Library/Application Support/Cellebrite/Inspector/UASignatureDBs 
e on Windows: /Users/<username >/AppData/Roaming/Cellebrite/Inspector/UASignatureDBs 


1. To create, add or remove a custom signature database, in the menu bar click Manage > File 
Signatures. 

2. Inthe File Signature Management window appears, expand each category to see extensions 
for each category. 

3. Select an extension from the list, and the panes at right show a description and file signature 
information for the extension. 


File Signature Management 


we actives , Geesen Device Independent Bitmap File 
5 Aids Generic Windows or OS/2 bitmap graphic; supports 1, 4, 8, and 
24 bits per pixel if the image is uncompressed and 4 and 8 bits 

Le Opasan per pixel if the image uses RLE compression; a 24-bit DIB image 
> D G File System contains 8 bits, or 1 byte for each RGB color. 
v O KR Pictures 

3DMF QuickDraw 3D Metafile Uncommon 

ABC Micrografx ABC FlowCharter ... Uncommon 

Al Adobe Illustrator File Very Common 

© art AOL Compressed Image File Common 

BLEND Blender 3D Data File Common 

CAL CALS Raster Graphic Common 

CAM CASIO Digital Camera Picture ... Rare 

CPT Corel Photo-Paint Document Common 

DCX Zsoft Multi-Page Paintbrush File Uncommon File Signature Information 

DPX Digital Picture Exchange File Common Header(s) Footer(s) 

DRW Drawing File Common 424D 

EMF Enhanced Windows Metafile Common 

EPS Adobe Encapsulated PostScri... Very Common 

GIF Graphical Interchange Format ... Very Common 

ICNS Mac OS X Icon Resource File Very Common 

IMG GEM Image Rare 

Ap JPEG Image File Uncommon 

JP2 JPEG 2000 Core Image File Common 

JPG JPEG Image File Very Common 

MNG Multiple Network Graphic Common 

MSP Microsoft Paint Bitmap Image Common 

PBM Portable Bitmap Image Common 

M Gen Mariak Dhata ON Imana Fila Camman 


+ Wen Group Uncheck All Cancel 


To create a new file signature database, in the bottom left corner of the File Signature 
Management window, click New Group. A new signature database with the default name 
UserDefinedSignatures appears in the database file List. 
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To add a new file signature to an existing database, select a user-defined database in the File 
Signature Management window. 


1. Click + (add) in the lower left of the window, and a separate signature definition window 
appears. 
2. Provide data in each field, then click OK. 


To remove an existing file signature, select the signature, then and click - (remove). 


You can remove a file signature database from the current case. This permanently removes the 
database and cannot be undone. 


e Select the database file in the list, and in the bottom left corner of the File Signature 
Management window click - (remove). 


You cannot remove a database while a processor is running. 


PhotoDNA and Project VIC 


Authorized law enforcement users can obtain the Project VIC robust hash set and import that 
into Cellebrite Inspector to perform PhotoDNA test comparison against case photos. Project VIC 
Version 2.0 is supported. 


Signup and registration are offered through ICAC Cops Portal (ICAC) (ICE) (USPIS) (FBI). You 
must have an account on the ICAC Portal. To request membership in Project VIC, see 
https://www.icaccops.com/users/Login. The request must be approved by the ICAC Commander 
or designated Federal Administrator. 


Before you add the Project VIC hash set to Inspector, you must set the appropriate Project VIC 
country. You can do this on the Project VIC tab on the Preferences window. For more 
information, see Inspector Preferences or Options. 
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Add the Project VIC Robust Hash Set to Inspector 


1. Inthe menu bar click Manage > Hash Sets. 


Manage Hash Sets 


Import a hash set which contains MD5 hashes. Each MD5 must appear on its own line in the hash Y, 
list. It is also possible to import Project VIC JSON files which can be used to better filter pictures 
and videos. 
PROJECT VIC 
Hash Set Name Categories Source Updated Records 
Download... Import... Update. Remove 


2. Click Import and then select the .json file you obtained from Project VIC. 
You cannot change the name of the hash set. 


When import is complete, Inspector shows how many hashes were successfully imported. 
To import multiple sets, repeat this procedure. The hashes are appended to the previous entry. 


If an entirely new hash set becomes available, you must remove the PhotoDNA hash set before 
you Import the new version. Once the hashes are imported, the Manage Hash Sets window 
reflects the newly added PhotoDNA hash set. 


When you use the PhotoDNA hash set for the first time, you must provide your password. 


1. Log into My Cellebrite. 
2. Click the link on the PhotoDNA Authentication dialog box to see the password, which you 
must enter on the PhotoDNA Authentication dialog box. 


The rest of the process for running the Project VIC robust hash set against case evidence is the 
same as with other hash sets. For more information, see Hash Sets and File Signature 
Databases. 


C4AIL 


Categorizer For All, or C4AlL, is a tool used in the investigation of child exploitation media. Once 
all the necessary evidence in a case has been acquired, C4All can be used to quickly compare 
pictures and videos found in that evidence against an expansive database of known file hashes of 
child exploitation media. 


Cellebrite Inspector has CAAU fully integrated and ready to use on cases involving OS X, 
Windows, iOS, and Android devices. Users can connect to a locally stored C4All database in 
MySQL format, or one that is remotely stored with SQL Server. (To access a C4All database 
stored on SQL Server using a Mac computer, an ODBC driver shipped with the Inspector installer 
is installed automatically when Cellebrite Inspector is installed.) 
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To log into the C4All database, from the menu bar click Manage > C4All. 
Manage C4AIl 


Options 
Store files in DVD sized folders 


Ignore Category 


None 


Cancel ISD 


In the C4ALl window, you can set whether to allow the images and videos to be exported from the 
case file into folders that are DVD-sized. Mark or unmark the checkbox for Store files in DVD sized 
folders. 


You may also choose whether a specific category of images or videos will be excluded from the 
export. In the Ignore Category field, select a category number or leave it set to None. 


The settings in the Manage CAAl window apply to every case for this particular computer. 


If there are multiple evidence devices [allocated or carved files), you must run C4All against each 
device separately. 


1. On the Media view in a case, select the evidence device to run C4All against. 

2. Inthe Component list, click Evidence Status. In the Content pane, click Run next to Known 
Files for the device. 

3. In the Hash Sets window, mark the checkbox for C4All and then click OK. 


Hash Sets 


Identify files from the following Hash Sets: 


Hash Set Status 
C4All 
Hashkeeper 2.0 (Known CP) 

Hashkeeper 2.0 (Suspected CP) 

Known OS X System Files Complete 


Cancel 


4. When the hashing process is complete, open the Media view for the selected evidence device. 
All media files (such as pictures, videos, and thumbnails} appear in the Content pane. 
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5. Choose one of these options to select all items in the view. 


e Inthe menu bar, click Edit > Select All. 
e Use the keyboard shortcut for your computer to select all. 
e Each selected item is in a yellow box. 


6. Open the context menu and then click Export > Export Data Model > C4All. 


sort: None 


Save File Listing... 
Copy Path 
ké Quick Look 


Tag Media As 


Export Data Model 
Export Case Data As XML 


Di zeit ` teg 
| > 
f = Export Selected Rows 
} ) Export Selection 
Export Selected Location Data As 


7. Select a folder to save the exported files to, and then click Export. 
Inspector exports the images, videos, and thumbnails in the specified C4All format and 
creates all the index files that are normally associated with C4ALL. 


S Show in Window 


The exported files are now ready to present to a trained child exploitation investigator. 


Semantics21 


Semantics21 provides the LASERI suite of tools to examine images, animations, and videos. Once 
images are brought into the tool, they can be assigned to one of these categories, 


e 0: Non-Pertinent 

e 1: Child Abuse Material (CAM) Illegal 

e 2: Child Exploitive (non-CAM} / Age Difficult 
e 3: CGI / Animation - Child Exploitive 

e 4: Comparison Images 

e 5: Uncategorized 


Cellebrite Inspector's integration with S21 allows users to complete these tasks. 


e Export data in the S21 format. 

e Import the data into an S21 tool. 

e Use the S21 tool to set labels and assign category values. 

e Connect Inspector to the S21 SQL Database [to see a list of S21 user databases). 
e Run Known Files for S21. 
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Export Images and Videos 


1. In Inspector, select the images and videos to export. 
2. Inthe menu bar, click Export > Export Data Model > $21. 


"ut 7 
Copy eg eee 
Paste EA 


Find... Ed 
Find Next 3G 
Jump To Hex Offset... 


Save File Listing... 


Open Files TRO 
Copy Path 
Quick Look SL 
Find Identical Files 
aa am. 
Export Selected Files > B 
i Reveal > Export Selected Files As L01... | 
| S Export for Legal Review... MSE 
| Tag Media As — = a Export Hash ae CH 
Project VIC > Export Data Model > a 
: BlueBear LACE... Export Case Data As XML > 
Cer oe Export Selected Rows > 
et ae Export Selection > 
Be Export Selected Location Data As > E 
t: 0x0 (0) Position: 0x0 (0) “enus mae B 


A folder is created with a name based on the case name and the date and time the files were 
exported. 


In the S21 export folder, movies are placed in an S21M folder and pictures are placed in an S21P 
folder. These folders contain an index file and subfolders containing the pictures and videos 
exported. The index files are named S27P Index.xml for pictures and S21M Index.xml for videos. 


e Inthe S21 tool, choose $21P Index.xml or $21V Index.xml to import the files into the 
appropriate LASERI tool. Once the files are imported, they can be categorized within the 
LAGER interface. 
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Connect Inspector to the S21 SQL Database 


1. Inthe menu bar, click Manage > $21. 
2. Type your username and password. 


@ Manage 521 
MySQL Connection 


MySQL Server Address: 


Port: 


Cellebrite Inspector User Guide 


Options 


Ignore Category 


localhost 


3306 


MySQL Login: 


bbt 


MySQL Password: 


Refresh list of MySQL Databases 


MySQL Database 
demos21 


3. In the Content pane, click Evidence Status. 


4. 


@ Hash Sets 


Identify files from the following Hash Sets: 


Hash Set 
$21 


2° Cellebrite 


None 


Cancel 


In the Known Files column, click Run for the items you wish to run the S21 dataset on. 


Status 


Cancel 
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File System Information 


This chapter provides information about file systems that can be useful when you use Cellebrite 
Inspector. 


e Apple File System 
e Artifact Items 


Apple File System 


The Apple File System [APFS] replaced HFS+ as the default file system beginning with macOS 
10.13. APFS is much different than HFS+. APFS no longer defines a volume, rather it implements 
a container inside of which several volumes may be present. APFS was designed for solid state 
drives (SSDs) but can work with traditional drives as well. 


=n 


APFS Container 


e 


EE 


APFS also uses Copy-On-Write, which means if you copy a file, the resulting copy will not 
duplicate the data on disk. Both inodes (original and copy) will point to the same original extents. 
Only when the copy is changed will new extents be allocated. 


The APFS container by default does not have a limit on the size or location of the volumes within 
it. Unlike traditional partitions on disk where sectors are allocated for each volume before they 
can be used, APFS allows all volumes to share a common pool of extents and they all report 
having total free space as the same. This also means data from all volumes is interspersed and 
volumes are not contiguous. Space in the logical container pool can be used by one to more 
APFS volumes. APFS Volumes grow and shrink by allocating unused blocks from the logical 
container pool and retuning them when files are deleted, and space is freed. Each APFS 
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container only knows about the blocks used by its own active files, and unallocated space is 
managed within the logical container pool. Because APFS volumes within a container are not 
traditional partitions, these volumes in the container cannot be individually imaged. 


If you choose to run Digital Collector Live on the target system, keep in mind that on macOS 
10.13.0 {and higher} while System Integrity Protection (SIP) is active, no user, even root can read 
the physical disk the system is currently booted from, the physical partition the system is 
currently booted from, nor the APFS container that holds the currently booted volume. This 
makes it impossible to image the physical disk. 


Adding APFS Evidence to Inspector 


APFS is very different than any other file system so it will appear differently than what is typically 
seen. Specifically, the APFS container uses pooled storage, which is available to all volumes 
within it, including unallocated space. Inspector will present the APFS pooled container 
highlighted with a grey box around the pooled volumes. The other volumes will appear normally. 
If a volume is encrypted, a locked icon appears next to the volume and (Encrypted) appears after 
the volume size. Encrypted volumes are automatically deselected. 


Attached / Mounted Disks [ show | 28_APFS_GoldMacBook_4096_withEncr_disk0.£01 (EWFimage) Processing Options: 


Attached Mobile Devices Evidence ID: 28 APFS.GoldMacBook 4096.withEner_disk0.€01 - 001 E 28 APFS.GoldMack...£01 (EWFimage) 


Files / Folders / Disk images Laag Preview Oe: ` `" Comprehensive 


=  28_APFS_GoldMac...Encr_disk0.£01 C DH 
40KB 
DB Recovery 
Ig Pimary GPT Table 
16.0 KB File Signature Analysis 
EFI System Partition (FAT32) ji j 
e Biter Picture Analysis 
Macintosh HD (Encrypted) Video Analysis 
97.8 GB 
Process Archives 
D Preboot (APFS) 
19.0 MB Process OCR Image Text 
Recovery (APFS) 
Wise © calculate Hashes 
VM (APFS) Identify Known Files 
10GB 
File Carving 
By Unallocated (APFS) 
177.6 GB File System Journal Analysis 
Unallocated (HFS+) 
Baten Spotlight Parsing 
e BOOTCAMP (NTFS) OS Event / Security Logs 
= 188.168 
Smart indexing 
> jp VSCs: BOOTCAMP (NTFS) 
{0 Selected, 2 Unselected, 0 Processed] Content Search (Bulk extraction) 
ale Mail Parsing 
Activity Correlation 
Hibertil.sys / Pagefile.sys 
Calculate File Entropy 
Manage Passwords... 
Refresh Remove 1of1 selected Cancel 


Mark the check box next to an encrypted volume within the APFS container. A password prompt 
appears where you can enter a password or a recovery key to unlock the volume. 


(J Enter Password or Recovery Key 


Password Hint: No Hint Available 


Recovery Key: - - - - - 
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Because APFS uses pooled storage, deleted files cannot be carved from volumes. You can only 
carve from pooled storage, which means File Carving must be chosen for the unallocated space 
in the APFS pool during initial evidence ingestion. Data can be carved from volumes not within 
pooled storage at any time during the analysis. 


ene Ba inspector Case File.inspector 


7 mmer Seene) El Raver Doe B 


= Data (Snap 1) Device: Bennett-Computer-200520.E01 
8 aen oppen | | | Volume: Racer - Data (Active) 


CITT | 


©. @aoorcaue | File System: APES 


Y activity 
I Evidence Status 


© Export status 
Extended Information 


mos File Count: 172006 

Folder Count: 29057 
content suen ` DÉI ` ee: 505262280 

Pool Cantainer Size: 50:2 Ga (63533190360 Bytes) 
INDEX SEARCHES Space Used Unformatted, 34042556010 
INVESTIGATIVE NOTES File System; are 

Identifier: 6 


Root File Croato Date: 2019-00-20 20:23:29 (UTC) 
Root File Modity Date: 2020-04-14 15:58:08 (UTC) 
2020-05-08 20:52:47 (UTC) 
317 68 (34042566416 Bytes) 


MacBookAi6,2 
Joch-Bennette-MacBook 

Field Value 

‘cozHxeo2DRVD_ 


2016-06-11 23:46:54 (UTC) 


Everyone 
Tepicsi0e.c32F 


APFS Snapshot Parsing 


APFS was designed using Snapshots as a 
means for built in backup support. Snapshots 
leverage the copy-on-write property of APFS to 
provide “instant” backups of the entire state of 
an APFS volume. Snapshots can be mounted 
as read-only volumes that are exact copies of 
the file system state at the time they were 
taken. However, Inspector does not need to 


mount the Snapshots in order to process them. 


APFS snapshots are detected automatically 
and listed in the middle pane of the Add 
Evidence window. 
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summary H Disk view 


Evidence ID: _ Bennett-Computer-200520.£01 - 001 


Artifacts 


Graphics 


Documents 
Disk Images 


Archives 


Movies 


Emails 


Bennett-Computer-200520.E01 (EWFimage) 


Evidence ID: Bennett-Computer-200520.E01 - 001 


Protective MBR 
512 Bytes 


a Primary GPT Header 
512 Bytes 


a Primary GPT Table 
16.0 KB 


Unallocated 
3.0 KB 


3 EFI System Partition (FAT32) 
= 200.0 MB 


[=+ Racer - Data (APFS) 
= 31.7 GB 


© Snapshots: Racer - Data (APFS) 


= [0 Selected, 4 Unselected, 0 Processed] 


[=) Preboot (APFS) 
= 27.1 MB 


[= Recovery (APFS) 
== 500.7 MB 


| VM (APFS) 
== 20GB 


[E Racer (APFS) 
== 10.4 GB 


a Unallocated (APFS) 
14.5 GB 


[+ Basic data partition (NTFS) 
== 52.4 GB 


P VSCs: Basic data partition (NTFS) 
[0 Selected, 2 Unselected, 0 Processed] 


Unallocated 
472.0 KB 
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Below each Snapshot entry is an indicator of the number of Snapshots selected, unselected, and 
processed. By default, none of the Snapshots are selected for processing. You can expand APFS 
Snapshots. 


Add Evidence 


Attached / Mounted Disks | show | Bennett-Computer-200520.£01 (EWFImage) 


© J Bennett-Computer-200520.£01 


Processing Options: 


E Evidence ID: Bennett-Computer-200520.£01 - 001 em Racer - Data (APFS) 


Files / Folders / Disk Images Preview © Triage Comprehensive 
Ip Protective MER 
512 Bytes 
a Primary GPT Header e 
512 Bytes 
i DB Recovery 
fy inary GPT Tabie 
16.0 KB File Signature Analysis 


fy Unallocated 
3.0 KB 


EFI System Partition (FAT32) 
2000 MB 


Picture Analysis 
Video Analysis 
Process Archives 
a Raver - Data (APFS) 
31.7 GB Process OCR Image Text 


Snapshots: Racer - Data (APFS) 
D [O Selected, 4 Unselected, 0 Processed) EE 


Racer - Data Snap 1 (APFS) Identity Known Files 
31.7 6B 


gg Racer - Data Snap 2 (APFS) 
31.7 GB File System Journal Analysis 
Racer - Data Snap 3 (APFS) 
WE Spotlight Parsing 


OS Event / Security Logs 


ww Racer - Data Snap 4 (APFS) 
31.7 GB 


‘Smart indexing 


Preboot (APFS) 
= 271MB Content Search (Bulk extraction) 
e Recovery (APFS) 
KE 5007 Me Mail Parsing 
VM (APFS) Activity Correlation 
= 2068 
Racer (APFS) 
o 10.4 GB 


Herl ste! Pagetile.sys 
Unallocated (APFS) 
14.5 GB 


D Basic data partition (NTFS) Calculate File Entropy 
= 524GB 


p VSCs: Basic data partition (NTFS) 


[0 Selected, 2 Unselected, 0 Processed] Manage Passwords. 


By Unallocated a 
472.0 KB 


Refresh Cancel 


Remove 1of 1 selected 


Once a snapshot is expanded, select specific snaps to process. As snaps are selected, the 
indicator for that snapshot is updated. Like all other volumes listed, different processing options 
can be set for each Snapshot. Processing all Snapshots take a longer time, and they do not have 
to be ingested during initial evidence processing. 


APFS Snapshots are automatically enabled if Time Machine is enabled, even if no backup disk is 
connected. Snapshots are created approximately every hour, before each Time Machine backup, 
and before certain system updates. The Snapshot lifetimes depend on a number of factors, but 
they are generally available for about 24 hours. Older snapshots may be deleted if the disk is low 
on space. We have found that devices with unsuccessful Time Machine backups tend to retain 
snapshots the longest. 


EA inspector Case File.inspector 


Date Created Date Modified 
2009-07-14 02:36:56 (UTC) 2019-11-05 17:49:14 (UTC) 
2010-10-08 16:07:18 (UTC) 2020-04-14 16:48:20 (UTC) 
2019-09-29 20:23:29 (UTC) 2020-04-14 16:84:05 (UTC) 
2019-09-29 20:23:29 (UTC) 2020-04-14 16:54:05 (UTC) 
2019-09-29 20:28:29 (UTC) 2020-04-14 16:84:05 (UTC) 
2016-06-24 10:8110 (UTC) 2016-06-26 1:81:10 (UTC) 
2014-12-20 21:08:09 (UTC) 2020-05-20 22:26:07 (UTC) 
2018-08-17 21:54:19 (UTC) 2019-02-26 13:37:11 (UTC) 
2018-08-17 21:54:19 (UTC) 2018-08-17 21:54:19 (UTC) 
2016-00-11 22:65:02 (UTC) 2020-05-20 22:40:00 (UTC) 
2018-06-11 22:36:40 (UTC) 2018-06-11 22:36:40 (UTC) 
2019-09-28 03:05:47 (UTC) 2019-09-28 03:08:47 (UTC) 
2019-10-07 18:02:07 (UTC) 
Mu. 2017-11-14 13:38:19 (UTC) 


2019-10-07 18:02:07 (UTC) 
CONTENT SEARCHES 2019-10-07 18:36:07 (UTC) 
2016-06-11 22:86 (UTC) 


2017-11-44 13:28:34 (UTC) 


2018-06-11 22:88:11 (UTC) 
INDEX SEARCHES 2017-11-14 19:28:34 (UTC) 
2019-10-08 16:19:22 (UTC) 2019-10-08 16:19:34 (UTC) 


INVESTIOATIVE NOTES 2018-06-11 22:36:41 (UTC) 2020-02-18 18:42:19 (UTC) 


2014-09-09 23:27:56 (UTC) 2018-10-03 18:31:30 (UTC) 


Field Value 


‘SMetadata ` $ Location d Record 


d Cellebrite 


2020-04-14 16:53:26 (UTC) 
2020-05-08 20:52:47 (UTC) 

2020-08-08 20:62:47 (UTC) 

2020-05-08 20:52:47 (UTC) 

2016-06-24 10:5110 (UTC) 

2020-05-08 20:59:02 (UTC) 2015-06-11 23:44:44 (UTC) 
2020-02-18 18:56:34 (UTC) 2018-10-03 18:31:30 (UTC) 
2018-08-17 21:54:19 (UTC) 2018-10-03 18:31:30 (UTC) 
2020-05-20 22:28:33 (UTC) 2016-06-11 22:65:02 (UTC) 
2018-06-11 22:36:40 (UTC) 

2019-10-08 16:19:35 (UTC) 2019-10-08 18:18:95 (UTC) 
2019-10-07 18:02:07 (UTC) 2019-10-07 18:02:07 (UTC) 
2019-08-07 18:30:35 (UTC) 2017-11-14 13:36:19 (UTC) 
2018-06-11 22:85:11 (UTC) 2018-06-11 22:85:11 (UTC) 
2017-1-14 13:28:34 (UTC) 2017-11-18 13:28:34 (UTC) 
2019-10-08 16:19:36 (UTC) 2019-10-08 16:19:36 (UTC) 
2020-05-08 20:52:44 (UTC) 2015-06-71 22:36:41 (UTC) 
2010-10-03 16:91:90 (UTC) 2018-10-03 18:31:20 (UTC) 


Data Interpreter 


Version index 


2 


2019-09-29 20:23:29 (UTC) 2020-04-14 15:49:47 (UTC) 2020-04-14 18:86:07 (UTC) 2020-04-14 15:48:83 (UTC) 2 
2019-08-24 22:24:19 (UTC) 2019-08-24 22:24:19 (UTC) 2019-10-08 16:19:58 (UTC) 2019-10-08 16:19:58 (UTC) 2 
2019-08-24 22:20:44 (UTC) 2019-08-24 22:20:44 (UTC) 2019-10-08 16:19:34 (UTC) 2019-10-08 16:19:34 (UTC) 2 


2019-09-29 20:24:24 (UTC) 2020-04-14 18:49:46 (UTC) 2020-04-14 15:67:47 (UTC) 2020-04-14 15:48:34 (UTC) 2 


Size Extension 


16MB bom 
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APFS on macQS: 10,15 


Increased system protection was added in macOS Catalina 10.15. The operating system runs ina 
read-only system volume, separate from other files. When a system is upgraded to Catalina, a 
second volume Is created, and some files may move to a Relocated Items folder. 


The boot volume was effectively split into two pieces. On the Desktop it appears as one volume, 


but looking at it via Disk Utility, it is readily apparent there are two volumes. 


eee Disk Utility 
D~ + Ké @ ®© 
View Volume First Aid Partition Erase Restore Unmount Info 
Internal 
E wem _ MacSSD SS 
E Macssp - Data A APFS Volume + APFS (Encrypted) 500.07 GB 
macOS 10.15.3 ARED BY 6 VOLUN 
External 
@ Used @ Other Volumes Free 
10.97 GB 226.57 GB 262.52 GB 
Mount Point 1 Type APFS Volume 
Capacity 500.07 GB Owners: Enabled 
Available: 266.17 GB (3.66 GB purgeable) Connection: SATA 
Used: 10.97 GB Device: diskis5 
eee Disk Utility 
D~ + 69 @ © 
View Volume First Aid Partition Eres Restore Unmount info 
Internal 
e ` 
© Macsso == __ MacSSD -Data gees 
APFS Volume + APFS (Encrypted) 500.07 GB 
External 
@ used © Other Volumes Free 
223.66 GB 13.89 GB 262.52 GB 
Mount Point: {System/Volumes/Data Type: APFS Volume 
Capacity: 500.07 GB Owners: Enabled 
Available: 266.17 GB (3.66 GB purgeable) Connection: SATA 
Used: 223.66 GB Device: diskis1 


The volume name that appears on the Desktop appears in both volumes; the second volume has 
- Data appended to the volume name. For more information, see this topic provided by Apple: 
https://support.apple.com/en-us/HT210650. 
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You can also see this structure when the volume is processed in Inspector. This can first be seen 
when ingesting evidence with a macOS 10.15. 


8 


8 


8 


Bennett-Computer-200520.E01 (EWFimage) 
Evidence ID: Bennett-Computer-200520.E01 - 001 


Protective MBR 
512 Bytes 


a Primary GPT Header 
512 Bytes 


a Primary GPT Table 
16.0 KB 


Unallocated 
3.0 KB 


~} EFI System Partition (FAT32) 
= 200.0 MB 


f= Racer - Data (APFS) 
™ 31.7 GB 


Snapshots: Racer - Data (APFS) 
[0 Selected, 4 Unselected, 0 Processed] 


[+] Preboot (APFS) 
= 27.1MB 


[z] Recovery (APFS) 
= 500.7 MB 


fo) VM (APFS) 
= 20GB 


f=) Racer (APFS) 
= 104GB 


Unallocated (APFS) 
14.5 GB 


= Basic data partition (NTFS) 
== 52.4 GB 


P VSCs: Basic data partition (NTFS) 
[0 Selected, 2 Unselected, 0 Processed] 


Unallocated 
472.0 KB 


This example shows a macOS computer with the volume name Racer. Evidence processing 
options can be different for the two volumes. User files and data are stored on the <Volume 
Name> - Data volume. When choosing processing options keep this in mind. 


7 Cellebrite 
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Once processed, the Details view shows different information for each portion of the volume. 
This is shown for the <Volume Name> - Data portion. 


1. Information about data contained in this portion of the combined volume 
2. Information pertaining to just the <Volume Name> - Data portion 
3. Information about macOS system 


Details For: = Racer - Data 


Device: Bennett-Computer-200520.E01 


Volume: Racer - Data 


| | Fite system: 


Extended Information 
File Count: 

Folder Count: 

Pool Container Size: 


Space Used Unformatted: 


APES 


173086 
29057 

8595262289 

59.2 GB (63533199360 Bytes) 
34042556416 


File System: 
Identifier: 


Root Plo croato pates D) 


Root File Modit 


Root File Accessed Dato: 


Space Used: 


Model: 


Host Name: 

Serial Number: 

Time Zone: 

Language: 

AirDrop Discoverable Mode: 

MAC (AirPort_Brem4360/en0): 
Dynamic IP: 


MAC (AppleThunderboltIPPort/ent): 


MAC (BCM5701Enet/en2): 


APFS 
6 

2019-09-29 20:23:29 (UTC) 
2020-04-14 15:54:05 (UTC) 
2020-05-08 20:62:47 (UTC) 
31.7 GB (34042556416 Bytes) 


MacBookAir5,2 
Josh-Bennetts-MacBook 
C02HX8D2DRVD 
2015-06-11 23:46:54 (UTC) 
America/Vancouver 

en_US 

Everyone 
7C:D1:C3:DC:C3:2F 
192.168.0122 
82:00:48:30:1F:80 
40:6C:8F:44:C1:9F 


Æ summary 


G Disk view 


Evidence ID: Bennett-Computer-200520.E01 - 001 


Artifacts 


SC E | ý 
ESCH We 


Emails 1003 


Ee O Er 
E | ie 


1 10 100 1000 


Archives 


40000 100000 1000000 


This is shown on the Details view for <Volume Name>. 


1. Information about the OS version and data contained in this portion of the combined volume 
2. Information pertaining to just the <Volume Name> portion 


Details For: = © Racer 


Device: Bennett-Computer-200520.E01 


File System: 


Extended Information 
OS Version: 

File Count: 

Last File 1D: 


Pool Container Size: 


‘Space Used Unformatted: 


File System: 


Identifier: 
Root File Create Date: 2 
Root File Modify Date: 


Volume: Racer 
Mac OS X (10.15.4) 


APFS 


Mac OS X (10.15.4) 
380158 

108807 
1152921500312789574 

59.2 GB (63533199360 Bytes) 
11174010880 


APFS 
4 

2019-10-08 16:07:18 (UTC) 
2020-04-14 15:48:20 (UTC) 
2020-04-14 15:53:25 (UTC) 
10.4 GB (11174010880 Bytes) 


E summary 


G Disk view 
Evidence ID: Bennett-Computer-200520.E01 - 001 
Artifacts 
Movies E | 25 
Emails 0 


cs — ial 
Disk Images Į 
| 
Archives Í 120 


1000 10000 100000 


During the examination, most of the user data will be found on <Volume Name> - Data. While 
there are pictures, videos, and other files on the <Volume Name> partition, they are related to 
applications and the operating system; they are not files created by the user. 
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These are the artifacts that Cellebrite Inspector can parse. 


e Spotlight Index 
e NITES Access Control Lists 
e Cocoa Nanosecond Timestamp Format 


Spotlight Index 


Inspector can parse macOS Spotlight indexes. 
Spotlight is a system-wide search feature of macOS 
and the 10S operating systems. It allows users to 
quickly locate a wide variety of items on the 
computer, including documents, pictures, music, 
applications, and system preferences. Specific 
words in documents and in web pages in a web 
browser's history or bookmarks can be searched. It 
also allows users to narrow down searches with 
creation dates, modification dates, sizes, types, and 
other attributes. 


You can choose to run the Spotlight Parsing option in 
the Add Evidence window or in the Evidence Status 
pane. 


Spotlight data is parsed into multiple locations in 
Inspector. 


e Spotlight sub-view in the System view 
e In the Actionable Intel view 


o Spotlight Search Shortcuts in the Search 
sub-view 


o AirDrop artifacts the Downloads sub-view 


o recently accessed files in the File Knowledge 
sub-view 


For more information, see these topics: 


e System View 
e Actionable Intel View 


d Cellebrite 


Processing Options: 


E} Bennett-Computer-...0.E01 (EWFimage) 


Preview ; Triage Comprehensive 


Extract Data 
DB Recovery 
File Signature Analysis 
Picture Analysis 
Video Analysis 
Calculate Hashes 
Identify Known Files 
File Carving 
File System Journal Analysis 
OS Event / Security Logs 
Process Archives 
Smart Indexing 
Content Search (Bulk extraction) 


Mail Parsing 


Hiberfil.sys / Pagefile.sys 
(°) Quick Scan Deep Scan 


Calculate File Entropy 


Manage Passwords... 
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The Spotlight index items can also be located in the Metadata sub-view of the File Content view 
for any item in a macOS or iOS volume. All of the items will exist under the Spotlight heading 
within the metadata. There is a lot of information within this heading, some of which exists in the 
file itself as well as within the file's own metadata. However, there can also be much more 
useful information, such as dates and times. 


one {Ba inspector Case inspector 


Dan ~ (Racer -DatarUsersjoshyDocuments/2019-Mustang-Bulit-7jog 


In addition to the Metadata sub-view for Spotlight indexes, you can filter on these pieces of 
information within the Filter view. 


NTFS Access Control Lists 


File system permissions in NTFS are controlled with Access Control Lists [ACL], which are 
ordered lists of ACEs (Access Control Entries). Each user logged onto the system holds an 
access token with security information for that logon session. The system creates an access 
token when the user logs on. Every process executed on behalf of the user has a copy of the 
access token. The token identifies the user, the user's groups, and the user's privileges. A token 
also contains a logon SID (Security Identifier] that identifies the current logon session. 


Each ACE in an NTFS ACL contains these items. 


e ASID (Security Identifier) that identifies a particular user or group 

e Anaccess mask that specifies access rights 

e Aset of bit flags that determine whether or not child objects can inherit the ACE 
e A flag that indicates the type of ACE 


ACEs are fundamentally alike. What sets them apart is the degree of control they offer over 
inheritance and object access. There are two types of ACEs. 


e Generic type that are attached to all securable objects 
e Object-specific type that can occur only in ACLs for Active Directory objects 
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In the Metadata sub-view, you can see the ACE entries for each type that exists for the selected 


file. 


Cocoa Nanosecond Timestamp Format 


EVIDENCE EZ) 
Y O E Bonnett- Computor-200520.£01 
ML 
Racer - Data Active) 


© Racor - Data (Snap 1) 
© E © Pacer - Data (Snap 2) 
B One 
¥ @ mees 
B È © soorcaup (rcv 
E © soorcaw? sen 


v activity 
I Evidence Status 


"© export status 
Taos 


INDEX SEARCHES 
Fleld value 
Bann: 2178364 
Filesystem. 164869 
Name: BMWW-M2-STRIPES og 
Path: /Usersfosh/Downloads/BMW-M2-5 
Sizo: 182247 
SizeOnDisk: 182247 
extension jog 
Date Creat... 2017-03-03 20:08:28 (UTC) 
Date Chan... 2018-04-10 18:84:13 (UTC) 
Date Modi.. 2017-03-03 20:04:29 (UTC) 
Date Acce.. 2018-06-21 18:02:29 (UTC) 
FloSystom. UTC 
fstype: NTFS 
Directory: Ne 


Visibie: Yes 


3 ` BOOTCAMP Actve) Users ZS 


Name Date Crested 


DESCH 
> (Documents 


aarmen 


FE The Beales - Live in Paris 1965-pe 


5 The Cranberries - Zombie.me3 


Sne Sne Preview = Metadata 


Field Value 
NTFS Access Control Entry (2) 
Access Masi: Een 
ACE Type: Access Alowed 
Append Data: True 
Change Permissions: True 
Execute: Tee 
Name: administrators 
Rese attributes: True 
Read Data: True 
Read Extended Attributes: True 
SD san 
Symenronize: Trae 
euer. Trae 
Write ee Tee 
Wrte Extended Atibutes: True 
NTFS Access Controi Entry (3) 
Access masi: Een 
ACE Type: Access Allowed 


2018-06-21 17:52:17 (UTC) 
2015-06-12 1147:52 (UTC) 
2015-06-12 1247:53 (UTC) 


2017-08-20 18:57:08 (UTC) 


Location 


Nat a) ~ (BOOTCAMP/Usersfosh/Downicads/EMW-M2-STRIPES log 


2017-03-02 24:11:08 (UTC) 
2010-11-05 182557 (UTC) 
2018-12-28 163852 (UTC) 201 
2018-07-12 19.3355 (UTC! 


2017-03-03 1415207 (UTC) 


2017-08-25 27:45:47 (UTC) 


Date Accessed 


18:4024 (UTC) 


2019-1-05 1825.37 (UTC) 
2010-11-05 18:28:11 (UTC) 
382737 (UTC) 
2019-11-05 162559 (UTC) 


2018-08-21 18:02:29 (UTC) 


2017-08-20 18:57:08 (UTC) 


Date Added 


Version index size extension content 


282 Byes ini 
DEN 
C Bytes mos 


© omr B 


From time to time, Apple changes storage formats for certain things. The Cocoa format for 

timestamps was introduced in iOS 11 and macOS 10.13. Instead of the previous 9 digits, Cocoa 
timestamps are 18 digits for some date columns. Inspector supports these longer nanosecond 
timestamps when they are encountered. 


* Cellebrite 


Eine =Æ Strings Preview Metadata ` $ Location J Record 
ny Enter a valid sqlite query or double-click a table in the list to the left. 


_SqliteDatabaseProperties 
message 


sqlite sequence 


chat DER 
attachment ce 
handle eo. 
message_attachment join case. 
chat handle_join eo. 
chat message. join case. 


deleted messages 


syne_deleted messages eem 
message_processing task eo. 
re deleted. chats cass. 
syne.deleted attachments cBaB-. 
ie ceas: 
sqlite statt eo. 

ceas: 

rnan. 


error date 
o 455815263000000000 
o 455815309000000000 
o 455815384000000000 
o 455815547000000000 
o 460062095000000000 


460076254000000000 


460471779000000000 
465414305000000000 
465414305000000000 


465414306000000000 
464702715000000000 
464743030000000000 


o 
o 
o 
o 465414306000000000 
o 
o 
o 
n aga7aanzianananann 


date_read 


455815265000000000 
455815367000000000 
455815386000000000 
455824751000000000 
460471769000000000 


4 
o 
o 
o 
o 
o 


464742968000000000 
464743062000000000 


datedelivered Te ge 


o 
455815345000000000 
455815386000000000 
455815595000000000 
460471769000000000 

000000000 


464742968000000000 
464743062000000000 


1 


1 
1 
1 
1 
1 
o 
o 
o 
o 
o 
1 

1 

` 


© Daarok B 


Type Value (Little Endian) 
Y String 
UTF-8 460076254000000000 
ue E 
Y Date/Time 
Chrome 


Cocoa/Webkit 


Cocoa Nanoseconds 2015-07-31 22:57:34 (UTC) 


Dos nja (222) 
FILETIME 3058-12-04 15:56:40 (UTC) 
Firetox 
Java 
ER 1899-12-30 00:00:00 (UTC) 
osx 
Unix 

Y Integer 
8 bit signed 460076254000000000 
8 bit unsigned  460076254000000000 


Lite Enaian 
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Troubleshooting 


This chapter provides these topics about troubleshooting for Cellebrite Inspector. 


e The Debug Console 
e Other Issues 


The Debug Console 


Inspector may on rare occasion “hang” or unexpectedly quit. If this happens, relaunch Inspector, 
and then get the Dongle ID from the About Inspector window. 


e On Mac computers, in the menu bar, click Inspector > About Inspector. 
e On Windows computers, in the menu bar, click Help > About Inspector. 


When you contact Technical Support, you will need the Dongle ID. For more information, see 
Getting Support. 


The Debug Console also opens in the lower left corner of the screen. You may open the Debug 
Console before you open a case to See more information that may be of interest. 


There are several commands for the Debug Console that may yield additional troubleshooting 
information. Before you run and attempt to troubleshoot an Inspector process, you must enable 
verbose mode. 


Note: Inspector runs much slower than usual when verbose mode is on. 


Enable Verbose Mode 


e Inthe lower left corner of the Debug Console, type verbosemode. 


ee Debug Console 


verbosemode| 


The Debug Console window shows additional information. 


(E Debug Console 


Command received: verbosemode 
VYerboseMode is ON 
Command executed: verbosemode 
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These are additional Debug Console commands. 


Command | Description 


systemlog Save the debug log to the console or system log 

logfile Save the debug log to a file named /nspector Debug Log.txt on the Desktop 
verbosemode | Enable verbose mode debugging 

watchmemory | Display Inspector objects’ memory usage in real time 

memused Show how much memory is currently in use 

objects Display all the objects Inspector is using 

objectcount Show the number of objects Inspector is using 


Errors appear in red font in the Debug Console. For example, the text DiskProcessor is 
Restarting may appear. While this is technically an error, there is no problem. DiskProcessor 
restarts itself in the event of an error, and this information is shown in the Debug Console. 


2 Cellebrite 


ee Debug Console 

592949934 7/1 DEED Pb 34u4bveUdeb t8d44ubSa 592899934 d 1 Zbdsubu Eder Hd Ab Sp 
DiskProcessorShell: /Applications/BlackLight', 2919 Release, 1/BlackLight.app/Contents/ 
Resources /Mac/diskprocessor /diskprocessor --mode=DeviceProperties --devicelD=Not Available 
--deviceClass=i0S --dbFi le=/Volumes/TRNG_2014/10S\-Dev ices /Bennet t_20149328_iPhone/ 
Bennetti 4\-087\-0301-2\- iPhone .BlackLight/Partitions/ 

59288953371 2bd80607b3404b8e9dcő f8d44ab5a/5928095337 | 2bd80607b3404b8e9dcőf8d440b5a .sdb 


DataNormalizer.Run execution time: 00:00:05 (hh:mm:ss) 
(Facebook } 
DataNormalizer.Run execution time: 00:00:01 (hhimmiss} 


(Foursquare } 

Error number: Ø. Stack Trace: RuntimeExceptionErrorNumberGetter 
dictionaryYalueGetter 

Dictionary.Valuezv%o<Dictionary>y 

JSON! tem.Chi Ld%o<JSON! tem>ğo<JSONI tem>s 
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Other Issues 


Cellebrite Inspector may encounter files that cause the application to “hang” or close 
unexpectedly. Logs created as a result of these responses are very useful during the 
troubleshooting process. If possible, please have these logs available when you contact 
Cellebrite Technical Support. Unfortunately, logs are often not created, and determining the 
exact cause is difficult. 


Exception Errors 


When an exception error occurs, Inspector shows an error alert. 


1 Oops! This is embarrassing, an error has occurred. 


Inspector has encountered an error. We apologize for the inconvenience. Please click on the "Report..." button to send this 
to Cellebrite so that we can fix it as soon as possible. 


Although it may be possible to continue, it is advisable to quit and restart. 


Type: ThreadAccessingUIException 

Message: A thread has attempted to manipulate a user interface element. This can only be done from the application's main thread. 
Stack: 

REALbasic._UITrap 

Window.__Exit% %o<Window> 

roframework.dylib$3143 

roframework.dylib$3119 

RuntimeUnlockObject 

roframework.dylib$1411 

_pthread_body 


Report... Continue 


If this happens, click Report. This sends the error report to Cellebrite so we can attempt to fix the 
problem as soon as possible. 


If you would like our support team to contact you by email for assistance and follow up, type your 
contact information in the Name and/or Email field in the Problem Report window. In the 
Comments field, please include any information about what tasks were being performed when 
the error occurred or provide steps so that we can attempt to recreate the error during the 
troubleshooting process. 


Database Errors 


The deleted SQLite record recovery process can cause a database error, more often ona 
Windows analysis computer than on a Mac. You can remedy this issue on the Options tab in the 
Preferences window by unmarking the checkbox for Recover Deleted SQLite Records. For more 
information, see Inspector Preferences or Options 


This prevents Inspector from attempting to recover deleted SQLite records. 


If disabling this option does not remedy the issue, open the Debug Console, issue the verbose 
mode command, and repeat the action undertaken prior to the crash. 
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Searching container files such as .tar and .zip files can also cause issues. If this happens ina 
case when deep search has been enabled, you can disable deep search to prevent Inspector 
from searching inside a container or compound files. However, you will have to manually extract 
and examine container or compound file types. 


Locating Partitions 


Sometimes Inspector may not automatically locate a disk image, disk image partition, or the 
correct disk image partition. This problem often occurs if the GUID, Apple partition map, or the 
Master Boot Record has been wiped, though the partitions remain present. You can remedy this 
by either extracting the partitions and then adding the extracted partitions back to the case as 
separate devices, or by adding a new partition to the image file. 


1. At the top of the Component list, click Add. 
2. Navigate to the disk image and click Open. 
3. In the Add Evidence window, open the context menu from the image file name and click Edit 


Partitions 
Add Evidence 
Attached / Mounted Disks [ show | KreeseUSSFDesktop.£01 (EWFimage) Processing Options: 
Attached Mobile Devices Evidence ID: KreeseUSSFDesktop.£01 - 001 E KreeseUSSFDesktop.E01 (EWFimage) 
Files / Folders / Disk Laag Preview (Triage Comprehensive 
=I... MA — rman Table (#0) 
Set Disk Sector Size... H 
Edit Partitions. a Extract Data 
a 3 
Import as File DB Recovery 


Import as Windows Memory (Dump, Image, File) ` AT (0x07) (NTFS) 
i} File Signature Analysis 
Remove IFAT (0x07) (NTFS) 


= 68068 Picture Analysis 


Jj VSCs: NTFS / exFAT (0x07) (NTFS) Video Analysis 


g [O Selected, 4 Unselected, 0 Processed) 


Process Archives 
I Win95 Extended (0x01) 
2968 Process OCR Image Text 


Extended Table (#1) 
(Eve E calculate Hashes 


The Partition Editor window appears with each volume’s start and end sector information. 


Partition Editor 


Name First Sector Last Sector Highlight Sector: 0 
cf SE preteen e 000000000: | 33CO SEDO BCOO 7C8E COBE DEBE 007C 
Gene ii Merite: 00000000E: | gon 0689 0002 FCF3 A450 681C OECB 


908000001C: FBB9 0400 BDBE 0780 7E0@ @07C OBOF 
BOOTCAMP 118867968 178255871 900000002A: 850E 0183 C510 E2F1 CD18 8856 0055 
0000000038: C646 1105 C646 1000 B441 BBAA SSCD 
9000000046: | 135D 720F 81FB SSAA 7509 F7C1 0100 
9000000054: | 7403 FE46 1066 6080 7E10 0074 2666 
0000000062: 6800 0000 oppe FF76 8868 0000 6800 
0000000070: 7C68 0100 6810 O@B4 428A 5600 8BF4 
900000007E:| CD13 9F83 C410 SEEB 1488 0102 BBOO 
020000008C: 7C8A 5600 8A76 018A 4E02 BAGE O3CD 
@00000009A: | 1366 6173 1CFE 4£11 750C 807E 0080 
@0000000A8: OF84 BAGO B280 EBS4 5532 E48A 5600 
9000000086: | CD13 SDEB 9E81 3EFE 7055 AA7S GEFF 
90800000C4: | 7600 E88D 0075 17FA Foni E664 E883 
9080000002: | @@BO DFEG Got 7CO@ Port E664 E875 
00000000E@: O0FB Bong BBCD 1A66 23C@ 753B 6681 
QQG0Q000EE: | FBS4 4350 4175 3281 F902 0172 2C66 
0Q0000FC: 6807 BBOG OOGG 6800 0200 OOGG 6808 
@00000010A: | 0000 0066 5366 5366 5566 6800 0000 
2000000118: 0066 6800 7COO 0066 6168 0000 07CD 


SR 
Fall ien 
Cancel Apply 


4. Inthe bottom left corner of the Partition Editor window click + (add). 
A new partition entry appears. 

5. Under the name column, type the new partition name. 

6. Under the First Sector and Last Sector columns, type the partition’s start sector number and 
end sector number, respectively. 

7. Click Apply. 


Inspector recognizes the new partition, displays It in the Evidence section of the Component List, 
and makes partition data available for analysis. 


If a problem with Inspector persists, please contact Cellebrite Technical Support. For more 
information, see Getting Support. 
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Appendix 1 - iTunes Precautions 


All of these precautionary procedures are highly recommended for the analyst to remain in full 
control of the computer. If any application auto-launches while a device is attached, the 
application may cause adverse effects to evidence. 


To prevent inadvertent data writes to an evidentiary iOS device, you must prevent iTunes from 
launching when an iOS device is attached to an analysis machine. The methods for doing so 
differ depending on whether the iTunes application has been previously launched under the 
current user account on the analysis computer. 


lf iTunes has been launched under the current user account on the analysis computer, before 
you attach an iPhone to the analysis computer, you must disable the iTunesHelper application. 
This application launches iTunes automatically when an iOS device is attached to the computer. 
Disabling this application prevents iTunes from launching. 


Disable iTunes on a Mac Computer 


1. Launch iTunes. 
2. Atthe top of the screen on the menu bar, click Edit > Options. 
3. Click Devices. 


Devices Preferences 


1) © E 


General Playback Sharing Store Parental 


oe 


<= 


Devices Advanced 


Device backups: 


Bobby’s iPhone 5/20/11 3:58 PM 
Josh Bennett’s iPhone 3/4/11 4:53 PM 
Josh's iPod Touch 12/16/09 8:55 AM 
iPhone @ Today 7:37 AM 


Delete Backup... 


M Prevent iPods, iPhones, and iPads from syncing automatically 
|_| Allow iTunes audio control from remote speakers 


iTunes is not paired with any Remotes Forget All Remotes 


Q Cancel | OK | 


4. Mark the checkbox for Prevent iPods, iPhones and iPads from syncing automatically, and then 
click OK. 


5. Onthe menu bar, click iTunes > Quit iTunes. 


Next, disable the iTunesHelper application to prevent the iTunesHelper application from 
automatically launching during login. 


316 


March 2022 Cellebrite Inspector User Guide 


Permanently Disable iTunesHelper on a Mac Computer 


Click anywhere on the Desktop. 

On the menu bar, click Apple > System Preferences. 

Click Users & Groups. (On versions of OS X earlier than Lion, click Accounts.) 
On the preferences window, click Login Items. 

Under the Hide column, mark the checkbox for iTunesHelper. 


|_ Password [REIN 


These items will open automatically when you log in: 
© B iTunesHelper Unknown ! 
® Steam Application 
g gfxCardStatus Application 
(© Snapz Pro X Application 


OMERO: DO = 


@ Alfred Application 
A VMware Fusion Start Menu Application 
$2 Dropbox Application 


To hide an application when you log in, select the checkbox in the Hide 
column next to the application. 


e es 


6. Below the list, click - (remove). 
The iTunesHelper application is removed from automatic login items list. 


Temporarily Disable iTunesHelper on a Mac Computer 


1. Launch the Activity Monitor application, which is located here: /Applications/Utilities/Activity 
Monitor. 


Activity Monitor (My Processes) 


E) 
oOllellz- Memory | Energy | Disk | Network | Qy itunes Hei 
Process Name sk % CPU CPU Time Threads Idle Wake Ups PID ` User 

Ar 0 1.56 3 0 270 


In the Activity Monitor menu, click View > My Processes [if it is not already selected). 

In the Filter field, type iTunes Helper. The iTunes Helper application process is isolated. 
Select the iTunes Helper application. 

In the top left corner of the Activity Monitor window, click Quit Process [the stop sign with an X 
in it), and then click Quit. 


n eae 


The iTunesHelper application is disabled, and iTunes will no longer automatically launch when 
an iOS device is attached to the analysis computer. 


You can reactivate iTunesHelper. Either locate the application and manually launch it, or add it 
back to the list of login items and then log out and back in. The iTunesHelper application process 
appears in the Activity Monitor process list when it is active. For recent versions of iTunes ona 
Mac, open this folder in Finder to locate the iTunesHelper application: 
/Applications/iTunes/Contents/MacOS/. 
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Disable Auto-Launch of Camera-Related Applications on 
Mac Computers 


OS X features a running daemon named PIPCamera. This daemon checks a connected camera 
device. Most iOS devices include camera functionality. In the default configuration of OS X, the 

Image Capture application launches when a camera device is connected to the system. Image 

Capture has an option to stop auto-launch when a specific device is connected, but it does not 

offer a way to control the connection of new camera devices. 


iPhoto does offer the ability to control auto-launch for all camera devices. In fact, with iPhoto, 
you can select a preference to never auto-launch any camera-related application, including 
Image Capture, when camera devices are attached. 


1. To set this preference, open the iPhoto application and click iPhoto > Preferences. 
The iPhoto General preferences window appears. 
2. Inthe Connecting camera opens field, select No application. 


A specific key in the user's Library/Preferences folder is set, stopping applications related to the 
camera function of any camera device. 


Disable iTunes on a Windows 10 Computer 


1. After launching iTunes, in the menu bar, click iTunes > Preferences. 
2. Onthe General Preferences window, click Devices. 
3. Mark the Prevent iPods, iPhones and iPads from syncing automatically checkbox. 


É Devices Preferences 


> WII a 
Gererd Playteck Sharing Store Parental Devices Advanced 


Device backups 


J Prevent Pods, Phones, and Pads from syncing automatically 
/\Warn when more than Am, e of the data on ts computer rä be changed 


Tunes is not pared with ary Remotes 


Reset Sync story 


4. Disable the iTunesHelper application to prevent it from automatically launching during login. 
a. Open the Task Manager, and on the Startup tab, disable iTunesHelper. 


b. On the Processes tab, right-click on /TunesHelper.exe, and then click End task. 
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Disabling Windows AutoPlay features 


AutoPlay is active on Windows 10 by default. It does not appear to automate anything with iOS 
devices that are attached, but it is best practice to disable it. 

For more information, see Disabling Windows AutoPlay in System Settings on Windows 10 
Computers. 
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Appendix 2 - EWMounter 


Cellebrite Inspector ships with a separate E01 forensic image mounting application that allows 
examiners to mount E01 image files on a Mac computer. You can save a lot of time by mounting 
a forensic image as a connected device and browsing the directory structure before acquiring 
data from the image file. Mounting an E01 forensic image file is also helpful in the course of a 
forensic examination of Mac computers, because you may be able to open non-native application 
files that cannot be opened from within Inspector. 


Cellebrite Inspector supports EWMounter on macOS up to 10.15.7. 


On Mac computers running macOS 10.13 and higher, when EWMounter is run for the first time, 
this warning appears. 


ER EWMounter 


O © © 


Mount Unmount Verify Hash 


Important information for systems running macOS 10.13 and higher 


macOS High Sierra 10.13 introduces a new feature that requires your approval before 
loading newly-installed third-party kernel extensions (KEXTs). This feature enforces that 
only kernel extensions approved by you will be loaded on a system. The load request is 
denied and macOS presents the alert shown: 


System Extension Blocked 

$ f A program tried to load new system extension(s) 
signed by “BlackBag Technologies, Inc.”. If you want 
to enable these extensions, open Security & Privacy 
System Preferences. 


OK 


This prompts you to approve the KEXT in System Preferences > Security & Privacy which 
will be automatically opened for you. 


Click OK. The Security & Privacy tab in the System Preferences window appears. Click Allow. 


LE < Be Security & Privacy Q 


Filevault Firewall ` Privacy 


A login password has been set for this user Change Password... _ 


Require password 5 minutes after sleep or screen saver begins 
Show a message when the screen is locked 


v| Disable automatic login 
Allow apps downloaded from: 


System software from developer “BlackBag Technologies, Inc.” was Allow 
blocked from loading. 


= Click the lock to make changes. $ 


Note: You must run EWMounter from an administrator account. It cannot be run from a standard 
user account. 
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To launch the EWMounter application, double-click the application icon in the 
/Applications/Inspector folder. The EWMounter application window appears. 


EWMounter 


© © © 


Mount Unmount Verify Hash 
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Mounting Options 


To mount an E01 image file click Mount. Navigate to the E01 file and click Open. The Mounting 
Options window appears. 


ee EWMounter 


O © © 


Mount Unmoun t Verify Hash 


Mounting Options 
Virtualize Device 


Does not mount partitions 


512 ¢ 


macOS 10.13.X and higher 


Cancel 


To mount the file [and partitions) normally, unmark the Virtualize Device checkbox. Under most 
circumstances, the Virtualize Device checkbox should not be marked. 


If the E01 file is damaged, you can create a file system entry without mounting the E01 file by 
marking the Virtualize Device checkbox. You can mount the E01 file as a virtualized device to 
create a file system entry, and then run the ‘dd’ utility (convert and copy], or other disk recovery 
tools. 


On macOS 10.13 and higher, the Set Block Size option is available. This lets you set different 
block sizes based on the type of image. Advanced Format hard drives ship with 4k sector sizes, 
which do not mount properly with a 512 (default) block size. To properly mount such an image, 
mark the Set Block Size checkbox and choose a size, then click OK. Available sizes are 512, 4096 
and 8192. 


A block size of 4096 should be selected for images of a 2015 MacBook, 2015 MacBook Air, and 
any Mac model shipped with an SSD in 2016 and later. 


EWMounter opens and mounts the E01 image with the options you set. 


alll ad Haten reg SE Eiane maaa AAM AA n aAa Alara Elch ikha A Le eeleren eara 
AdQItONal NON-LUV ISS WY appear daS Select able I H e Navigallon VM f 


selected, they fail to launch because EWMounter only opens E01 image files 
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On the left side of the EWMounter window, the mounted E01 file shows a green dot to the left of 
the file name. Select the E01 image file name. On the right side of the EWMounter window under 
Volumes, the E01 image file partitions display along with the image file's MD5 and SHA1 hash 
values. 


ee EWMounter 
Mount Unmount Verify Hash 
cfreds_201 5_data_leakage_pc.£01 Image file: MacHD:Users:drew:TEST DATA:CFREDs:cfreds_2015_data_leakage_pc.E01 
System Reserved, Untitled Device Entry: /dev/disk2 

Device Size: 21,474,836,480 (20.00 GBs) 

Volumes: 

System Reserved 

Untitled 


MDS: a49d1254c873808c58e6f1bcd60bSbde 
SHA1: afeSc9ab487bd47a8a9856b137 1¢2384d44fd785 


Not all E01 files have a SHA1 hash value. If an E01 image file does not have a SHA1 hash value, 
only the MD5 hash value appears. 
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Verifying MD5 and SHA1 Hash Values 


To verify the E01 image MD5 and SHA1 hash values in EWMounter, click Verify Hash. 


MD5: a49d1254c873808c58e6f1bcd60b5bde 
SHA1: afe5c9ab487bd47a8a9856b137 1c2384d44fd785 


Verifying: Ga 


If the hash verification succeeds, [Verified] appears. If the hash verification fails, (Failed) appears. 


MD5: a49d1254c873808c58e6f1bcd60b5bde (Verified) 
SHA1: afe5c9ab487bd47a8a9856b137 1c2384d44fd785 (Verified) 


Mounted E01 image files also mount as part of the file system on the analysis computer and are 
visible as a mounted device on the Desktop and in a Finder window. This example shows 
mounted E01 image file partitions in the EWMounter window as they appear mounted on the 


Desktop. 


Mount Unmount 
Image file: MacHD:Users:drew:TEST 
Kl DATA:CFREDs:cfreds_2015_data_leakage_pc.E01 


Device Entry: /dev/disk2 
Device Size: 21,474,836,480 (20.00 GBs) 


Volumes: 
System Reserved 
Untitled 


MDS: a49d1254c873808c58e6f1bcd60bSbde 
SHA1: afe5c9ab487bd47a8a9856b137 1c2384d44fd785 
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Previewing a Mounted E01 Image File 


You can preview a mounted E01 Image File in Finder and in Cellebrite Inspector. 


Previewing in Finder 


A mounted volume may be opened in the Finder and the contents previewed as If the volume was 
physically attached to the analysis system. Volumes are mounted with read-only permissions 
and are therefore write-protected, as indicated in the lower left corner of the window that 
displays a small pencil symbol with a line through it. 


DEVICES 

©) Remote Disc 

[| MacOSx A 
[O Macoss D 


[| Macosxj 
[O MacOSXD 


| 


I> 


ri 


This example shows the contents of a mounted volume in a Finder window, and confirms the 
volume Is read-only. 


eee |_| Macosx} 
Lais) D =| om) m) (#~) (e~) Le) Leis) | nl kend >» 
Back View Action Arrange Share Label Training Manuals Product User Guides iPhoto_Libraries 
DEVICES 
© Remote Disc FS 
macosx a ai A x 
O Macoss SS ai 
E macosx) = 
000_0007,JPG 000_0017 JPG 000_0019.JPG 
| MacosxD D 
E ) 
TXT 
000_0020.JPG 000_0021 JPG 3akyckn.txt 
` MacOSX) 
x 6 items =r 


abet 7 
Se Cellebrite 325 


Version 10.5 Appendix 2 - EWMounter 


Previewing in Inspector 


To preview the contents of an E01 file in Inspector, mount the E01 file using EWMounter. After 
the E01 file is mounted, follow the same process as for adding any attached device to a case in 
Inspector. For more information, see Adding Evidence to a Case. 


In the Add Evidence window, to the left of the mounted E01 disk image or partitions, mark the 
checkboxes. In the right pane of the Add Evidence window, select the options for ingestion and 
processing, and then click Start to begin adding the attached E01 to the case. 


For more information, see Managing Case Evidence. 


Shadow Mounting an E01 Image File 


E01 image files sometimes contain partitions that do not mount cleanly. These partitions are 
marked as “dirty” in the file system [the ‘dirty bit’ is flipped’). A File System Consistency Check 
(FSCK) must be run to successfully mount the file. 


Running an FSCK check normally causes writes to be written to a volume. EWMounter handles 
this issue automatically by shadow mounting the volumes and running the FSCK check on the 
shadow volume. 


Shadow mounting an E01 image file does not affect the original E01 forensic image in any way. 
No writes are made to the E01 image, so no changes are made to the forensically sound image. 
However, the shadow file does have Read-Write permissions, so changes can be made to it 
during the FSCK check. 


The image file failed to mount cleanly. 


E01 
a VW It is likely the image was not cleanly unmounted prior to 
- imaging and the dirty flag is set. 


Would you like to try and Shadow Mount this image? If so the 
Shadow mount will be Read/Write but the image will not be 
altered in any way. 


(stop) (Shadow Mount) 
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Shadow mounted volumes display with a Shadow Mounted as R/W label in red text to the right of 


the volume name. 


e608 EWMounter 


Mount Unmount Verify Hash 
macwd.e01 Image file: BL Test Data:QA Images:Dirty_DMG.E01 
e MacOSXJ, MacOSX, MacOSxD, 
MacOSS 


Dirty_DMG.E01 


Part 1, Part 2, Part 3 


Volumes: 

Part 1 (Shadow Mounted as R/W) 
Part 2 (Shadow Mounted as R/W) 
Part 3 (Shadow Mounted as R/W) 


MDS: 9fdc26a782af2943036b1lcbe3b8603a2 
SHA1: b3bb6 1ldc2ee2e21d79dd66e6cc6250b986ba7d7b 


The screenshot below shows two files (disk2.txt and disk3. txt] on a shadow mounted volume as 
seen in Finder. There is no pencil icon [read-only] symbol in the lower left corner of the Finder 


window. 

KSE | Part 1 
Lal Le ze) (eieiei lo) elo 

Back View Arrange Share Dropbox Quick Look Action Search 
EE eege <?xml_version="1.0" encoding="UTF-8"?> 
SHARED disk3.txt <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 

History.plist “http://www. apple. com/DTDs/PropertyList-1.0.dtd"> 

DEVICES res version="1.0"> 

[E BBMBPO62 <key>Bootable</key> 

<false/> 


<key>BusProtocol</key> 
<string>Fibre Channel Interface</string> 
<key>CanBeMadeBootable</key> 


J (1) 
d 
Ip 


] 

e 
BY 
a 
D 


s 

£ <false/> 
D Part 3 = <key>CanBeMadeBootableRequiresDestroy</key> 
[D Boor 4 SE 
O ` MacOsx) EI Name disk2.txt 
mM Kind Plain Text Document 
[C macosx a 
n Size 2 KB 
—| MacOSXD á Created Wednesday, February 23, 2011 4:45 PM 
F) macoss z Modified Wednesday, February 23, 2011 4:45 PM 
B Last opened Wednesday, February 23, 2011 4:45 PM 
—) BL Test Data a 


1 of 3 selected, 331.4 MB available 


Because the shadow file has read-write privileges, some file information, such as dates and 


times, may be inaccurate. Time stamps may represent the time the examiner shadow mounted 
the image and the time the FSCK check occurred, and not the original image file timestamps. An 


examiner can add or delete files to and from a mounted shadow file. 


2° Cellebrite 


327 


Version 10.5 Appendix 2 - EWMounter 


Unmounting an E01 Image File 


When the E01 volumes are no longer needed, you can unmount the volumes in the EWMounter 
application 
Select the E01 image file. In the top left corner of the window, click Unmount. On the left side of 
the EWMounter application window, the mounted E01 file displays with a red dot to the left of the 
file name, indicating the image file is unmounted. 

000 EWMounter 


@ © 


Mount Unmount Verify Hash 


macwd.e01 
e MacOSXJ, MacOSX, MacOSxD, 
MacOSS 


Dirty_DMG.E01 


If the volume does not fully unmount, check to see if the volume is still in use. Quit any running 
applications associated with the image and unmount the volume from the Finder application. If 
the EWMounter application is quit while still having mounted filesystems a warning appears, 
asking If those devices should be unmounted or ejected. 


Unmount/Eject devices. 


E01 
q Do you want to unmount or eject all of the currently 
(E listed E01 images? 
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Extracting RAW images from EWMounter 


You can extract the raw image from within the attached E01 file. 


On the left side of the EWMounter window, select the attached E01 image with a green dot and 
open the context menu, then click Extract Raw Image. The raw disk image will be extracted to the 
selected location. 


DO EWMounter 


Mount Unmount Verify Hash 


KreeseUSSFDesktop.E01 Image file: Macintosh HD:Users:drew:Documents:TEST 
Aeee E e N DATA:KreeseUSSFDesktop:KreeseUSSFDesktop.£01 
Open Raw Image Location... E , 
O eontu |,964,302,336 (76.34 GBs) -- Block Size: 512 
i 


MD5: 4583ed18d8652d5e140a146f53a2c5fc 
SHA1: 3a767ec887bcaa361b91e186fb5636ea9b8702ef 


Export Running... 


q E01 D 
Do you wish to stop the current export process? 


No | Yes 


MD5: a49d1254c873808c58e6f1 bcd60bSbde (Verified) 
SHA‘: afe5c9ab487bd47a8a9856b137 1¢2384d44fd785 (Verified) 


Extracting... “i 
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Appendix 3 - Inspector License Server Configuration 


The Inspector License Server allows labs with multiple forensic analysis computers to authorize 
Inspector over a Local Area Network (LAN). Multiple Inspector dongles [one for each analysis 
computer] are not needed with the Inspector License Server in place. 


Follow the instructions included in the software activation email to register and license the 
Inspector License Server dongle. Connect the Inspector License Server dongle to the designated 
computer and install the Inspector License Server application. 


Click the Inspector License Server icon to launch the Inspector License Server. 


The Inspector License Server shows all current product licenses contained on the License 
Server dongle. The IP address and default License Server port, 6672, appears at the bottom of 
the window. 


eee Cellebrite Inspector License Server 

Product Total Used Available 
BlackLight 1 0 1 
Inspector 5 0 5 


Address: 192.168.1.148:6672 


To change the default License Server port, create a text file named /nspector License Server 
Settings.txt and save it in the same folder as the Inspector License Server application. In that text 
file, type Port = NNNN, where NNNN is the appropriate port number. 


To configure an Inspector forensic analysis client computer, connect the computer to the same 
network segment as the computer running the Inspector License Server. Create a text file to tell 
Inspector to look for the License Server if a local USB dongle is not present. 


1. Create the following file in the current examiner's home directory: 


e macOS: ~/Library/Application Support/Cellebrite/Inspector/Network Dongle.txt 
e Windows 10: ~\AppData\Roaming\Cellebrite\Inspector\Network Dongle.txt 


2. Add a line with the server IP address and port (located at the bottom of the License Server 
window] in this format: Server = 172.17.2.20:6672 


This tells Inspector that if an Inspector dongle is not connected to the computer to look for the 
License Server at 172.17.2.20 over port 6672. 


Note: For the Cellebrite folder to exist, Inspector needs to be launched at least one time on the 
client computer. The file name Network Dongle.txt is case-sensitive. 
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When a networked forensic analysis client authorizes Inspector via the License Server, the 
License Server subtracts one license from the total number of available licenses on the License 
Server dongle. 


When all available Inspector License Server licenses are in use, additional instances of Inspector 
fail to initialize. Additional licenses must be purchased and installed on the License Server 
dongle, or an examiner must release the license on a currently authorized client computer by 
exiting Inspector or by shutting down the currently authorized computer. 


Once a license becomes available, either through purchase or when a client computer releases 
an authorization, another forensic analysis computer can run Inspector. 


ore t 
Si Cellebrite 331 


